Wazuh: Unpatched Wazuh servers targeted by Mirai botnets (CVE-2025-24016)

Mirai Botnets Exploit Critical Wazuh XDR/SIEM Vulnerability (CVE-2025-24016)

Akamai researchers have identified two Mirai botnets actively exploiting a critical remote code execution (RCE) vulnerability (CVE-2025-24016) in Wazuh, a widely used open-source XDR/SIEM platform. The flaw, an unsafe deserialization issue, affects Wazuh Manager versions 4.4.0 through 4.9.0 and can be triggered by attackers with API access—either through a compromised dashboard, server cluster, or, in some configurations, a compromised agent.

Exploitation requires valid Wazuh API credentials, which attackers may obtain through prior breaches or credential theft. The vulnerability was patched in Wazuh 4.9.1 (October 2024), but public disclosure in February 2025 led to active attacks beginning in March 2025.

The botnets leverage a public proof-of-concept (PoC) exploit released on February 21, delivering malicious shell scripts that download Mirai malware variants targeting multiple architectures, including those common in IoT devices. In May 2025, Akamai observed a third Mirai botnet attempting similar attacks, though targeting a non-standard Wazuh endpoint—likely another attempt to exploit the same flaw.

Beyond Wazuh, these botnets also scan for legacy vulnerabilities in Hadoop YARN, TP-Link, ZTE, Huawei, and ZyXEL routers, as well as the RealTek SDK, demonstrating their adaptability in expanding their infrastructure.

The attacks highlight how botnet operators rapidly weaponize public PoC exploits to grow their networks, often before organizations apply patches. This trend mirrors recent incidents, such as the exploitation of a Roundcube RCE flaw, where attackers reverse-engineered patches to exploit vulnerabilities before widespread remediation.

Source: https://www.helpnetsecurity.com/2025/06/10/unpatched-wazuh-servers-targeted-by-mirai-botnets-cve-2025-24016/

Wazuh cybersecurity rating report: https://www.rankiteo.com/company/wazuh

"id": "WAZ1766629994",
"linkid": "wazuh",
"type": "Vulnerability",
"date": "6/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"

{'affected_entities': [{'customers_affected': 'Organizations using Wazuh '
                                              'Manager versions 4.4.0 - 4.9.0',
                        'industry': 'Cybersecurity',
                        'name': 'Wazuh',
                        'type': 'Open-Source Security Platform'}],
 'attack_vector': 'Remote Code Execution (RCE)',
 'date_detected': '2025-03-01',
 'date_publicly_disclosed': '2025-02-01',
 'description': 'Two Mirai botnets are exploiting a critical remote code '
                'execution vulnerability (CVE-2025-24016) in the open-source '
                'Wazuh XDR/SIEM platform. The vulnerability is an unsafe '
                'deserialization flaw in Wazuh Manager versions 4.4.0 through '
                '4.9.0, which can be triggered by attackers with API access or '
                'compromised agents. The flaw was patched in version 4.9.1 '
                '(October 2024) and publicly disclosed in February 2025. '
                'Active exploitation began in March 2025, with botnets using a '
                'public PoC exploit to deliver Mirai malware variants '
                'targeting IoT devices.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage for '
                                       'Wazuh and affected organizations',
            'operational_impact': 'Potential compromise of security monitoring '
                                  'and incident response capabilities',
            'systems_affected': 'Wazuh Manager (versions 4.4.0 - 4.9.0), IoT '
                                'devices'},
 'initial_access_broker': {'entry_point': 'Wazuh API access or compromised '
                                          'agents'},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'Botnet operators rapidly adapt public PoC exploit code to '
                    'grow or create new botnets. Organizations must prioritize '
                    'patching critical vulnerabilities promptly to prevent '
                    'exploitation.',
 'motivation': 'Botnet Expansion',
 'post_incident_analysis': {'corrective_actions': 'Patch management '
                                                  'improvements, enhanced API '
                                                  'security, and proactive '
                                                  'monitoring for exploitation '
                                                  'attempts',
                            'root_causes': 'Unsafe deserialization '
                                           'vulnerability in Wazuh Manager '
                                           '(CVE-2025-24016), delayed patching '
                                           'by organizations, and rapid '
                                           'exploitation by botnet operators '
                                           'using public PoC code'},
 'recommendations': ['Upgrade Wazuh Manager to version 4.9.1 or later '
                     'immediately',
                     'Monitor for unusual API access or compromised agents',
                     'Implement network segmentation to limit lateral movement',
                     'Enhance monitoring for IoT device compromises',
                     'Stay informed about vulnerability disclosures and apply '
                     'patches promptly'],
 'references': [{'date_accessed': '2025-05-01', 'source': 'Akamai Research'},
                {'date_accessed': '2025-02-01',
                 'source': 'Wazuh Security Advisory'}],
 'response': {'remediation_measures': 'Upgrade to Wazuh version 4.9.1 or later',
              'third_party_assistance': 'Akamai Researchers'},
 'threat_actor': ['Mirai Botnet Operators'],
 'title': 'Mirai Botnets Exploiting CVE-2025-24016 in Wazuh XDR/SIEM Platform',
 'type': 'Botnet Exploitation',
 'vulnerability_exploited': 'CVE-2025-24016 (Unsafe Deserialization)'}