Full Report
Akamai's latest report reveals two Mirai botnets exploiting the critical CVE-2025-24016 flaw in Wazuh. Learn about these fast-spreading IoT threats and urgent patching advice.
Analysis Summary
# Vulnerability: Critical Flaw in Wazuh Exploited by Mirai Botnets
## CVE Details
- CVE ID: CVE-2025-24016 (Inferred from context, specific CVE mentioned)
- CVSS Score: Critical (Inferred due to active exploitation and botnet targeting, actual score not provided)
- CWE: [Not specified in the provided text]
## Affected Systems
- Products: Wazuh (Security monitoring platform)
- Versions: All versions prior to the fix (Specific vulnerable versions not detailed)
- Configurations: Systems running vulnerable Wazuh installations potentially exposed to the network.
## Vulnerability Description
The vulnerability is identified as CVE-2025-24016 within the Wazuh product. This specific flaw is being actively exploited by two distinct Mirai botnet variants, Lzrd and Resgod. The nature of the vulnerability allows these botnets to compromise systems for inclusion in their networks.
## Exploitation
- Status: Exploited in the wild (Actively targeted by Lzrd and Resgod Mirai botnets)
- Complexity: Likely Low (Mirai botnets typically target easily exploitable, public-facing services)
- Attack Vector: Network (Implied by successful exploitation leading to botnet infection)
## Impact
- Confidentiality: High (Remote code execution or unauthorized access through botnet compromise)
- Integrity: High (System integrity compromised by malware installation)
- Availability: High (System resources likely used for botnet operations, leading to denial of service or system instability)
## Remediation
### Patches
- Users must urgently apply the patch released by Wazuh to address CVE-2025-24016. (Specific patch version number is not listed in the source material)
### Workarounds
- Implement immediate network segmentation and restrict external access to Wazuh instances where patching is delayed.
- Review WAF/IPS rules to block traffic patterns associated with known Mirai botnet C2 communications if specific signatures are available.
## Detection
- Indicators of Compromise: Presence of Lzrd or Resgod Mirai malware activity on systems running Wazuh.
- Detection methods and tools: Analyze network traffic for anomalous connections originating from the compromised Wazuh hosts, which may be communicating with botnet command and control infrastructure. Run endpoint detection tools capable of identifying known Mirai payloads.
## References
- Akamai’s latest report on the threat.
- Vendor advisories from Wazuh concerning CVE-2025-24016.
- Relevant links - defanged:
- hxxps://hackread.com/two-mirai-botnets-lzrd-resgod-exploiting-wazuh-flaw/