Mirai botnet weaponizes PoC to exploit Wazuh open-source XDR flaw

Researchers warn that several botnets built on the Mirai malware codebase are targeting outdated Wazuh XDR and SIEM management servers. For the past several months, the botnets have been exploiting a critical remote code execution vulnerability in Wazuh that was patched in February.

Researchers from content delivery and security company Akamai first detected exploitation of the Wazuh vulnerability in its honeypot servers in March, several weeks after the flaw became public.

“Although the vulnerability has been public for months now, it has not yet been added to CISA’s Known Exploited Vulnerability (KEV) catalog, nor has active exploitation been previously reported,” the Akamai team wrote in a report this week.

Unsafe deserialization in Wazuh API

Wazuh is an open-source threat prevention, detection, and response platform that can monitor both on-premises and cloud server workloads. The platform integrates well with the Docker container management engine, which makes it a popular solution for monitoring Docker containers.

Wazuh is made up of a software agent that gets deployed on endpoints and a management server that collects and analyzes data gathered by the agents. The CVE-2025-24016 vulnerability impacts Wazuh servers from version 4.4.0 (released in March 2023) to 4.9.1.

The unsafe JSON deserialization flaw can be exploited through DistributedAPI parameters to achieve remote code execution. It can be exploited by anyone who has API access, including a compromised Wazuh agent in certain configurations.

Two Mirai variants integrate the exploit

The first botnet exploiting CVE-2025-24016 was detected by Akamai in March and used a proof-of-concept (PoC) exploit that was published for the vulnerability in late February. That exploit targets the /security/user/authenticate/run_as API endpoint.

The second botnet was detected in early May and targeted the /Wazuh endpoint, but the exploit payload is very similar to the previously released PoC exploit. Both botnets exploit additional vulnerabilities for other devices and deploy the Mirai malware.

First launched in 2016, Mirai was one of the most successful malware payloads that commandeered IoT devices and used them to launch distributed denial-of-service (DDoS) attacks. The original botnet was responsible for some of the biggest DDoS attacks recorded on the internet until it was shut down by its creator and the source code for the malware was released on GitHub.

Since then, many variants of Mirai have been observed, as attackers take the original codebase and add new exploits and functionality to it.

The first variant that exploits the Wazuh vulnerability downloads a malicious shell script that can download the Mirai payload for various CPU architectures. The Mirai variant contains the name “morte” and used command-and-control (C2) domains previously associated with a Windows-based RAT and several other Mirai variants.

The morte botnet also contains exploits for known vulnerabilities in Hadoop YARN, TP-Link Archer AX21, and ZTE ZXV10 H108L routers. Incorporating multiple exploits for IoT devices is common for Mirai but attackers can customize them.

The second Mirai botnet exploiting the Wazuh flaw has been dubbed Resbot or Resentual and uses C2 domains that contain Italian words. This botnet also includes exploits for known vulnerabilities in Huawei HG532 and TrueOnline ZyXEL P660HN-T v1 routers as well as the Miniigd UPnP implementation in the Realtek network chipset SDK.

“Researchers’ attempts to educate organizations on the importance of vulnerabilities by creating PoCs continue to lead to baleful results, showing just how dire it is to keep up with patches when they are released,” the Akamai team wrote in its report. “Botnet operators keep tabs on some of these vulnerability disclosures — and, especially in cases where PoCs are made available, they will quickly adapt the PoC code to proliferate their botnet.”