Unpatched Wazuh servers targeted by Mirai botnets (CVE-2025-24016)

Two Mirai botnets are exploiting a critical remote code execution vulnerability (CVE-2025-24016) in the open-source Wazuh XDR/SIEM platform, Akamai researchers have warned.

What is Wazuh?

Wazuh is a popular open-source security information and event management (SIEM) and extended detection and response (XDR) solution that’s widely used for host-based intrusion detection, log analysis, file integrity monitoring, and more.

It’s core components are:

• Wazuh Manager (server component), which analyzes data and triggers alerts. Made to be installed on Debian and RHEL-based operating systems
• Wazuh Agent, which is collects and sends data to the Manager component. Agents are installed on endpoints that need to be monitored
• Elasticsearch & Kibana are used indexing and visualizing the security data

CVE-2025-24016 is an unsafe deserialization vulnerability in Wazuh Manager versions 4.4.0 through 4.9.0.

“The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent,” the security advisory notes, and explains how the vulnerability can be triggered.

To exploit the flaw, attackers must acquire the username and password of a valid Wazuh API user.

The vulnerability was patched in Wazuh version 4.9.1, released in October 2024, and the existence of the flaw was made public on February 2025.

Mirai botnets leveraging CVE-2025-24016

According to Akamai, active exploitation of the vulnerability started in March 2025.

The vulnerability is being exploited to enlarge two separate Mirai botnets. The exploit used is based on a PoC made public on February 21, and delivers and executes a malicious shell script that downloads different variants of the Mirai malware.

In early May 2025, Akamai also detected another Mirai botnet wielding a similarly structured requests that targeted a non-standard Wazuh endpoint.

“As the requests are almost identical to the PoC, aside from the endpoint, it is likely that the botnet is still attempting to exploit the same Wazuh vulnerability,” Akamai researchers shared.

Like the first botnet, the Mirai payloads delivered in these exploitation attempts target a wide variety of architectures typical for IoT devices.

The two botnets are also trying to exploit old vulnerabilities in Hadoop YARN, legacy TP-Link, ZTE, Huawei and ZyXEL routers, and the RealTek SDK.

These attacks show that botnet operators keep tabs on vulnerability disclosures and are quick to adapt public PoC exploit code to grow or create new botnets, Akamai researchers concluded.

Unfortunately, as the recent speedy weaponization of a RCE flaw in Roundcube has shown, skillfull attackers don’t have to wait for a PoC exploit to be released – they can take advantage of public patches and commit messages to unearth recently patched flaws and start exploiting them before most users have had the chance to implement the fix.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!