Two Botnets, One Flaw Mirai Spreads Through Wazuh Vulnerability

Source: Akamai\n\nExcerpt:\n\nThe Akamai Security Intelligence and Response Team (SIRT) has identified active exploitation of the critical remote code execution (RCE) vulnerability CVE-2025-24016 against Wazuh servers (CVSS 9.9).\n\nThe vulnerability takes advantage of decentralized API (DAPI) requests, allowing an attacker to remotely execute code by uploading an unsanitized dictionary.\n\nWe observed two campaigns of Mirai variants exploiting this vulnerability. One of these, “Resbot,” has Italian nomenclature involved in its domains, possibly alluding to the targeted geography or language spoken by the affected device owner.\n\nThe Akamai SIRT first identified activity in our global network of honeypots in March 2025. This is the first reported active exploitation of this vulnerability since the initial disclosure in February 2025.\n\nThe botnets exploiting this vulnerability have leveraged several known vulnerabilities, including CVE-2023-1389, CVE-2017-17215, CVE-2017-18368, and others.\n\nWe have included a list of indicators of compromise (IOCs) at the end of this blog post to assist in defense against this threat.\n\nTo read the complete article see: Akamai Blog\n