The Akamai Security Intelligence and Response Team (SIRT) has detected active exploitation of command injection vulnerabilities CVE-2024-6047 and CVE-2024-11120 affecting discontinued GeoVision IoT devices.
The malicious activities first surfaced through Akamai’s global network of honeypots in April 2025.
This marks the first observed in-the-wild exploitation of these vulnerabilities since their initial disclosures in June and November 2024, respectively, and highlights the ongoing risks associated with unsupported hardware.
Exploit Details and Attack Chain
The attack targets the /DateSetting.cgi endpoint on affected GeoVision devices, specifically exploiting a lack of input sanitization in the szSrvIpAddr parameter.
%20function.webp)
Remote, unauthenticated attackers are able to inject arbitrary system commands, enabling full device compromise without user interaction.
Investigation revealed that threat actors are leveraging the compromised endpoint to download and execute Mirai-based ARM malware, notably a variant referred to as “LZRD” (typically named boatnet.arm7).
Upon execution, this Mirai variant displays a distinctive console string, facilitating identification.
The malware incorporates a suite of built-in attack modules, consistent with established Mirai functionalities, including UDP flood, TCP ACK, SYN, and custom attack methods.
Notably, the malware’s codebase harbors a hard-coded command and control (C2) IP address-indicative of centrally orchestrated botnet operations.
Further analysis of the infrastructure connected to these C2 addresses revealed banner messages similar to “Infected Slurs,” previously associated with the TBOTNET botnet family.
This association suggests evolution and re-use of botnet infrastructure by adversaries, as legacy campaigns persist and adapt.
Threat Landscape: Multiple Vulnerabilities Targeted
Beyond the GeoVision vulnerabilities, the same botnet campaign has attempted to exploit a spectrum of known IoT flaws, including a Hadoop YARN bug, exploits in ZTE ZXV10 H108L routers (CVE-2018-10561), and the DigiEver vulnerability reported by Akamai in previous advisories.
The convergence of these exploits demonstrates the attacker’s strategy of leveraging a broad set of unpatched, obsolete devices to maximize botnet scale.
This campaign underscores the chronic risk posed by end-of-life IoT products that do not receive security updates.
GeoVision has confirmed the affected models are discontinued and will not be patched.
As a result, organizations are urged to decommission vulnerable devices and upgrade to supported hardware as the only effective mitigation strategy.
Where replacement is not immediately possible, network-level defenses and vigilant monitoring for the provided indicators of compromise are essential.
Akamai SIRT continues to monitor this threat and recommends defenders utilize the IOCs below for detection and response.
Indicators of Compromise (IOC)
| Type | Value |
|---|---|
| C2 IP Addresses | 209.141.44.28 51.38.137.114 176.65.144.253 176.65.144.232 198.23.212.246 |
| C2 Domain | connect.antiwifi.dev |
| Malware Sample SHA256 | f05247a2322e212513ee08b2e8513f4c764bde7b30831736dfc927097baf6714 11c0447f524d0fcb3be2cd0fbd23eb2cc2045f374b70c9c029708a9f2f4a4114 8df660bd1722a09c45fb213e591d1dab73f24d240c456865fe0e2dc85573d85e ecc794a86dcc51b1f74d8b1eb9e7e0158381faadaf4cb4ee8febd4ba17fd2516 03b1506c474a6f62f2e2b73ba4995b14da70b27e6d0aaea92638197e94d937c3 0333c6ac43c6e977e9a1c5071194d3cf8aa01222194c6e7f2fd13e631d03522d …(Full list available in Yara/Snort rules) |
| Exploited Endpoints | /DateSetting.cgi /cgi-bin/cgi_main.cgi |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
