Recent activity has revealed that cybercriminals are actively exploiting security vulnerabilities in GeoVision’s end-of-life Internet of Things (IoT) devices. This alarming trend is being leveraged to recruit these devices into a Mirai botnet for conducting distributed denial-of-service (DDoS) attacks.

Initial observations made by the Akamai Security Intelligence and Response Team (SIRT) in early April 2025, uncovered the exploitation of two critical command injection vulnerabilities (CVE-2024-6047 and CVE-2024-11120, with a CVSS score of 9.8). These flaws can enable attackers to execute arbitrary commands on the system.

According to Akamai researcher Kyle Lefton, the attacks specifically target the /DateSetting.cgi endpoint in GeoVision IoT devices by injecting commands into the szSrvIpAddr parameter. This method allows attackers to gain control over vulnerable devices.

The botnet operations have been observed to involve the injection of commands aimed at downloading and executing an ARM variant of the Mirai malware, known as LZRD. This exploitation also extends to other vulnerabilities, including a known issue in Hadoop YARN (CVE-2018-10561) and a defect affecting DigiEver, which was highlighted in late 2024.

Research suggests this campaign may overlap with activity previously labeled as InfectedSlurs. Lefton noted the trend of cybercriminals targeting outdated firmware on legacy devices as one of the most effective ways to build a botnet, particularly since many manufacturers cease to provide security updates for retired products.

Given that GeoVision devices are unlikely to receive any further patches, it is recommended that users consider upgrading to more secure, newer models to mitigate potential vulnerabilities.

Exploitation of Samsung MagicINFO Vulnerabilities

Meanwhile, a related disclosure from Arctic Wolf and the SANS Technology Institute has indicated that a flaw in Samsung MagicINFO 9 Server is being actively exploited to deploy the Mirai botnet. This follows the recent publication of a proof-of-concept on April 30, 2025, highlighting a path traversal vulnerability (CVE-2024-7399, CVSS score 8.8) that allows attackers to manipulate server files.

Further investigation by cybersecurity firm Huntress has revealed that even the latest version of Samsung MagicINFO 9 Server is vulnerable to exploitation, which suggests that the patch issued in August 2024 may not have adequately addressed these security concerns. Notably, the potential for remote code execution arises if tailored JavaServer Pages (JSP) files are uploaded to the server.

The findings indicate a pressing need for organizations utilizing Samsung MagicINFO to reassess their security postures, as the only reliable mitigation currently available is to restrict affected services from public access.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has responded by adding the GeoVision vulnerabilities to its Known Exploited Vulnerabilities catalog, mandating that federal agencies implement fixes by May 28, 2025, or discontinue use of the affected products entirely. This measure underscores the ongoing risks associated with unsupported devices.

As cyber threats continue to evolve, it becomes increasingly crucial for businesses to maintain current firmware and software versions, while also considering risk mitigation strategies aligned with the MITRE ATT&CK framework, particularly focusing on tactics such as initial access, persistence, and privilege escalation to fortify defenses against such attacks.

As more information emerges about these vulnerabilities, further updates from the cybersecurity community and manufacturers are anticipated to better inform affected users.