Wazuh Servers Targeted in Mirai Botnet Campaign Using Remote Code Execution Flaw
Two recent attack campaigns have been discovered targeting Wazuh servers using Mirai botnet variants. The attacks rely on a critical remote code execution (RCE) vulnerability, tracked as CVE-2025-24016, which allows attackers to execute Python code remotely by abusing how Wazuh handles API input.
This vulnerability was originally disclosed in February, but malicious activity was first observed in March, according to the Akamai Security Intelligence and Response Team (SIRT). Despite being publicly known for several months, the flaw has not yet been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
The Technical Root: Malicious Dictionary Injection via Wazuh API
The bug affects Wazuh versions 4.4.0 to 4.9.0, an open-source platform widely used for security monitoring and threat detection. Akamai researchers explained how the flaw works in technical terms:
“In the Wazuh API, parameters in the DistributedAPI are serialized as JSON, then deserialized using as_Wazuh_object in the framework/wazuh/core/cluster/common.py file. This can be exploited by injecting an unsanitized dictionary into DAPI requests, which can lead to evaluation of arbitrary Python code.”
In simpler terms, attackers can upload a crafted JSON file through the API. That file includes an unsanitized dictionary, which Wazuh mistakenly evaluates as code. The result? Remote execution of arbitrary Python commands on the server.
This gives attackers full control over vulnerable servers—making it a prime target for botnet operations like Mirai.
Mirai Botnets Continue to Weaponize Exposed Systems
Mirai, a botnet known since 2016, continues to evolve and exploit new vulnerabilities in exposed servers. In this case, the targeted systems are Wazuh servers that haven’t been updated beyond version 4.9.0.
Researchers observed two distinct Mirai-driven campaigns focused on exploiting this flaw to gain access and control over outdated Wazuh deployments.
Patch and Mitigation: Wazuh 4.9.1 Closes the Gap
The fix for this vulnerability was issued in Wazuh version 4.9.1. Any version prior to that remains vulnerable if exposed to the internet with API access enabled.
“The vulnerability only affects active Wazuh servers running outdated versions,” Akamai warned.
Administrators are urged to immediately update to the latest version and restrict API access to trusted environments only.
