Two Separate Botnets Target Wazuh Server Vulnerability for Mirai-Based Attacks

June 09, 2025
Wazuh Server Vulnerability

A critical security flaw in the Wazuh Server, now patched, has been exploited by threat actors to deploy two distinct variants of the Mirai botnet for executing distributed denial-of-service (DDoS) attacks. Akamai, which identified these exploitation efforts in late March 2025, reports that the campaign is targeting CVE-2025-24016 (CVSS score: 9.9), a dangerous deserialization vulnerability enabling remote code execution on affected Wazuh servers. This vulnerability impacts all server software versions from 4.4.0 onward and was addressed in February 2025 with the release of version 4.9.1. A proof-of-concept (PoC) exploit became publicly available around the same time. The issue stems from the Wazuh API, where parameters in the DistributedAPI are serialized as JSON and then deserialized using “as_wazuh_object” in the framework/wazuh/core/cluster/common.py file. Malicious actors can exploit this vulnerability by injecting harmful JSON…

Two Separate Botnets Exploit Wazuh Server Vulnerability for Mirai-Based Attacks

On June 9, 2025, cybersecurity experts reported that a critical vulnerability in the Wazuh Server is being actively exploited by malicious actors to deploy two different variants of the Mirai botnet. This exploitation has facilitated a series of distributed denial-of-service (DDoS) attacks that pose significant threats to targeted organizations.

The root of this issue lies in a flaw designated CVE-2025-24016, which boasts a high severity rating of 9.9 on the Common Vulnerability Scoring System (CVSS). Discovered by Akamai in late March 2025, the vulnerability enables unsafe deserialization, allowing attackers to execute remote code on vulnerable Wazuh servers. This security defect affects all versions of the software beginning with 4.4.0 and was addressed with the release of version 4.9.1 in February 2025.

At the heart of this vulnerability is the Wazuh API, particularly in its handling of parameters within the Distributed API. Parameters are serialized as JSON and then deserialized through the “as_wazuh_object” method located in the framework/wazuh/core/cluster/common.py file. Attackers have been able to exploit this flaw by injecting malicious JSON, thereby gaining unauthorized access to critical server functionality.

Targets of these botnet attacks include organizations that utilize Wazuh servers for security monitoring and threat detection. The exact geographic locations of the victims are still being assessed, but awareness is crucial for businesses employing such servers. The adversaries behind these attacks exhibit tactics and techniques consistent with the MITRE ATT&CK framework, specifically focusing on initial access, execution, and persistence phases. Initial access was likely achieved through the exploitation of the aforementioned vulnerability, while execution techniques may have involved the execution of injected code.

DDoS attacks are notorious for their capacity to disrupt operations, making it imperative for businesses to remain vigilant against such exploits. The implications of falling prey to these attacks stretch beyond immediate operational downtimes, potentially eroding customer trust and damaging reputations. Companies are encouraged to assess their current Wazuh infrastructure and ensure they are operating on the latest patched versions to mitigate risks associated with such vulnerabilities.

Security teams are advised to adopt comprehensive monitoring of their networks and implement proactive defenses following the principles outlined in the MITRE ATT&CK framework. This includes identifying potential entry points, preparing response protocols, and maintaining up-to-date patch management practices.

As cyber threats continue to evolve, understanding and acting upon vulnerabilities like the one found in Wazuh can be pivotal in safeguarding organizational assets and maintaining robust cybersecurity postures. The urgency of this situation underscores the importance of proactive cybersecurity measures in today’s increasingly interconnected world.

Source link

Related Posts

China-Linked Cyber Espionage Group Targets Over 70 Organizations Across Diverse Sectors

June 9, 2025
Government Security / Cyber Espionage

Recent reconnaissance efforts against American cybersecurity firm SentinelOne are part of a larger wave of intrusions affecting various targets between July 2024 and March 2025. “The victims include a South Asian government agency, a European media outlet, and over 70 organizations spanning numerous sectors,” noted SentinelOne security researchers Aleksandar Milenkoski and Tom Hegel in a recent report. Affected sectors include manufacturing, government, finance, telecommunications, and research. Notably, an IT services and logistics firm was compromised while managing equipment logistics for SentinelOne staff during the breach in early 2025. This malicious activity has been confidently linked to threat actors associated with China, with some attacks attributed to a cluster known as PurpleHaze, which overlaps with recognized Chinese cyber espionage groups labeled APT15.

CISA Includes Erlang SSH and Roundcube Vulnerabilities in Known Exploited Threats Catalog

On June 10, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two significant security vulnerabilities affecting Erlang/Open Telecom Platform (OTP) SSH and Roundcube to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. The identified vulnerabilities are:

  • CVE-2025-32433 (CVSS score: 10.0): A critical missing authentication flaw in the Erlang/OTP SSH server that could enable an attacker to execute arbitrary commands without proper credentials, potentially leading to unauthenticated remote code execution. (Patched in April 2025 in versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20)

  • CVE-2024-42009 (CVSS score: 9.3): A cross-site scripting (XSS) vulnerability in RoundCube Webmail that may allow a remote attacker to compromise a victim’s email account by exploiting a desanitization flaw in program/actions/mail/show.php. (Fixed in August 2024 in versions 1.6…)

Researcher Uncovers Vulnerability Exposing Phone Numbers Linked to Google Accounts

Jun 10, 2025
Vulnerability / API Security

Google has acted to resolve a security flaw that could allow malicious actors to brute-force recovery phone numbers associated with Google accounts, potentially compromising user privacy and security. Singaporean security researcher “brutecat” identified that the vulnerability exploited a weakness in the company’s account recovery feature. The issue involved a now-obsolete version of the Google username recovery form (“accounts.google[.]com/signin/usernamerecovery”) that lacked sufficient anti-abuse measures to limit excessive requests. This page allows users to check if a recovery email or phone number is linked to a specific display name (e.g., “John Smith”). By bypassing the CAPTCHA rate limits, attackers could rapidly test various permutations of a Google account’s phone number, leading to possible exploitation.

Title: Over 20 Configuration Vulnerabilities Discovered in Salesforce Industry Cloud, Including Five CVEs

Date: June 10, 2025
Category: Vulnerability / SaaS Security

Cybersecurity experts have identified more than 20 configuration vulnerabilities within Salesforce Industry Cloud (formerly known as Salesforce Industries), potentially exposing sensitive data to unauthorized users. These vulnerabilities impact key components such as FlexCards, Data Mappers, Integration Procedures (IProcs), Data Packs, OmniOut, and OmniScript Saved Sessions. “While low-code platforms like Salesforce Industry Cloud simplify application development, neglecting security measures can lead to significant risks,” said Aaron Costello, Chief of SaaS Security Research at AppOmni, in a statement to The Hacker News. If not mitigated, these misconfigurations may enable cybercriminals and unauthorized individuals to access encrypted sensitive information about employees and customers, session data reflecting user interactions with Salesforce Industry Cloud, credentials for Salesforce and other corporate systems, and critical business logic. Following a responsible disclosure process, more information is anticipated.