Two Botnets, One Flaw: Mirai Spreads Through Wazuh Vulnerability
Akamai Technologies, Monday, June 9th, 2025
The Akamai SIRT discovered active exploitation of the remotely executable Wazuh unsafe deserialization vulnerability CVE-2025-24016 in late March 2025, just a few weeks after the vulnerability's initial disclosure.
Executive Summary
The Akamai Security Intelligence and Response Team (SIRT) has identified active exploitation of the critical remote code execution (RCE) vulnerability CVE-2025-24016 against Wazuh servers (CVSS 9.9).
The vulnerability takes advantage of decentralized API (DAPI) requests, allowing an attacker to remotely execute code by uploading an unsanitized dictionary.
We observed two campaigns of Mirai variants exploiting this vulnerability. One of these, 'Resbot,' has Italian nomenclature involved in its domains, possibly alluding to the targeted geography or language spoken by the affected device owner.
The Akamai SIRT first identified activity in our global network of honeypots in March 2025. This is the first reported active exploitation of this vulnerability since the initial disclosure in February 2025.
The botnets exploiting this vulnerability have leveraged several known vulnerabilities, including CVE-2023-1389, CVE-2017-17215, CVE-2017-18368, and others.
We have included a list of indicators of compromise (IOCs) at the end of this blog post to assist in defense against this threat.