A now-patched critical security flaw in the Wazur Server is being exploited by threat actors to drop two different Mirai botnet variants and use them to conduct distributed denial-of-service (DDoS) attacks. Akamai, which first discovered the exploitation efforts in late March 2025, said the malicious campaign targets CVE-2025-24016 (CVSS score: 9.9), an unsafe deserialization vulnerability that allows for remote code execution on Wazuh servers. The security defect, which affects all versions of the server software including and above 4.4.0, was addressed in February 2025 with the release of 4.9.1. A proof-of-concept (PoC) exploit was publicly disclosed around the same time the patches were released. The problem is rooted in the Wazuh API, where parameters in the DistributedAPI are serialized as JSON and deserialized using "as_wazuh_object" in the framework/wazuh/core/cluster/common.py file. A threat actor could weaponize the vulnerability by injecting malicious JSON payloads to execute arbitrary Python code remotely. The web infrastructure company said it discovered attempts by two different botnets to exploit CVE-2025-24016 merely weeks after public disclosure of the flaw and the release of the PoC. The attacks were registered in early March and May 2025. "This is the latest example of the ever-shrinking time-to-exploit timelines that botnet operators have adopted for newly published CVEs," security researchers Kyle Lefton and Daniel Messing said in a report shared with…Read More