Mirai Botnets Exploiting CVE-2025-24016 in Wazuh XDR/SIEM Platform

**Mirai Botnets Exploit Critical Wazuh XDR/SIEM Vulnerability (CVE-2025-24016)** Akamai researchers have identified two Mirai botnets actively exploiting a critical remote code execution (RCE) vulnerability (**CVE-2025-24016**) in **Wazuh**, a widely used open-source **XDR/SIEM** platform. The flaw, an **unsafe deserialization issue**, affects **Wazuh Manager versions 4.4.0 through 4.9.0** and can be triggered by attackers with API access—either through a compromised dashboard, server cluster, or, in some configurations, a compromised agent. Exploitation requires valid Wazuh API credentials, which attackers may obtain through prior breaches or credential theft. The vulnerability was **patched in Wazuh 4.9.1 (October 2024)**, but public disclosure in **February 2025** led to active attacks beginning in **March 2025**. The botnets leverage a **public proof-of-concept (PoC) exploit** released on **February 21**, delivering malicious shell scripts that download **Mirai malware variants** targeting multiple architectures, including those common in **IoT devices**. In **May 2025**, Akamai observed a third Mirai botnet attempting similar attacks, though targeting a non-standard Wazuh endpoint—likely another attempt to exploit the same flaw. Beyond Wazuh, these botnets also scan for **legacy vulnerabilities** in **Hadoop YARN, TP-Link, ZTE, Huawei, and ZyXEL routers**, as well as the **RealTek SDK**, demonstrating their adaptability in expanding their infrastructure. The attacks highlight how botnet operators **rapidly weaponize public PoC exploits** to grow their networks, often before organizations apply patches. This trend mirrors recent incidents, such as the **exploitation of a Roundcube RCE flaw**, where attackers reverse-engineered patches to exploit vulnerabilities before widespread remediation.