Critical Vulnerability in Wazuh Servers: A Gateway for Botnet Attacks

Wazuh Server Vulnerability Introduction

Cybercriminals continue to find ways to reduce the time they take to exploit newly published security vulnerabilities, with the Wazuh Server vulnerability being a great example. Within a few short weeks of its public disclosure, attackers began actively targeting CVE-2025-24016, an unsafe deserialization issue exposing a Wazuh servers vulnerability to remote code execution. This vulnerability has allowed hackers to use powerful botnet infrastructures and carry out distributed denial-of-service (DDoS) attacks.

The speed of attacks underscores the critical need for businesses to maintain robust cybersecurity controls and quickly patch high-priority vulnerabilities. As Wazuh Server is used for security monitoring and threat detection, this flaw, rated with a CVSS score 9.9, has gained immediate attention. The goal of this article is to help companies understand the impact of this vulnerability, outline how attackers are leveraging it to spread Mirai-based botnets, and highlight proactive steps IT teams can take to mitigate these threats.

Background on Wazuh Server Vulnerability and CVE-2025-24016

Wazuh is a cornerstone for security monitoring in many businesses, collecting and analyzing logs from various endpoints. In early 2025, a vulnerability emerged within the Wazuh API’s DistributedAPI feature, where parameters are serialized as JSON and then deserialized. That deserialization process was unsafe, allowing maliciously crafted payloads to execute random Python code.

Recognizing the flaw’s severity, Wazuh patched all known affected versions by releasing an update (version 4.9.1) in February 2025. Unfortunately, the availability of a public proof-of-concept (PoC) around the same time spurred interest among threat actors, who quickly began probing and exploiting unpatched Wazuh Server installations.

Timeline and Rapid Exploitation

Security researchers detected active exploitation attempts as early as March 2025, underscoring how quickly criminals can scale their operations once a PoC is revealed. According to industry researchers, these attacks continued into May 2025, indicating that some companies had not applied the critical patch in time. This rapid response by cybercriminals follows what many experts perceive as a broader trend: attackers are narrowing the window between disclosure and exploitation, bypassing typical “grace periods” that companies once relied upon to implement patches safely.

How Attackers Exploit Wazuh Servers

To compromise a Wazuh Server, attackers send malicious JSON payloads designed to trigger remote code execution. With the ability to run arbitrary Python code, attackers can pull down shell scripts from external servers. These scripts facilitate the download and installation of Mirai-based botnet binaries, which can be compiled for various processor architectures, ensuring a wide net of potential victims.

Mirai variants commonly used in these campaigns include familiar names such as LZRD, Neon, Vision, and V3G4. Despite Mirai’s age, its adaptability continues to make it a preferred tool for hackers searching for fast and efficient methods to commandeer vulnerable devices.

Two Distinct Botnet Campaigns

Researchers have identified at least two major botnet campaigns exploiting CVE-2025-24016 to spread Mirai payloads. The first campaign predominantly deploys the LZRD Mirai variant. Infrastructure tied to this campaign has also been linked to attacks on other systems, such as Hadoop YARN, TP-Link Archer AX21 routers, and IoT devices from various manufacturers. The second campaign focuses on a Mirai offshoot, sometimes called Resbot or Resentual. This campaign uses Italian references in domain names, a curious linguistic choice that could point to a preference for compromising Italian-speaking users and networks.

In both cases, the core operation is the same: exploit an unpatched system, drop a script, and implant a Mirai-based binary that enlists the infected machine into a botnet. From there, the machine will launch DDoS attacks or multiply the botnet by scanning and assaulting other vulnerable devices.

Broader Mirai Exploitation Beyond Wazuh

While the latest focus has fallen on Wazuh Servers, Mirai operators are certainly not restricting themselves to a single gateway. Some exploit CVE-2024-3721, a command injection flaw in digital video recording devices, to corral even more systems into their networks. This multi-pronged approach speaks to Mirai’s enduring popularity among cybercriminals: the source code is readily available, and adapting it to new vulnerabilities is straightforward.

Geographically, research indicates notable pockets of Mirai infections emerging in Asia and other regions, revealing broad scanning across the internet for devices and servers that remain unpatched. Compromised devices commonly exhibit performance issues, unreliable network behavior, and concealed “ghost” processes running in the background.

Implications for Businesses

Once a botnet gains a foothold, the consequences can be damaging. In large-scale DDoS attacks, companies may experience significant downtime and reputational harm. If any sensitive data is exfiltrated, recovery can be lengthy and costly. The existence of a patch for CVE-2025-24016 reiterates the importance of strong vulnerability management. Promptly updating systems reduces the window of opportunity for adversaries. Proactive monitoring also helps detect suspicious actions or unusual inbound traffic indicative of an attempted exploit.

“We’ve seen how quickly threat actors adapt once new exploits surface,” says Alex Wardle, Security Consultant at Tanner. “In some instances, they initiate attacks within days, if not hours, after a proof-of-concept is released. This is a powerful reminder that continuous patching and vigilant system monitoring are indispensable.”

How Tanner Can Help

Tanner provides comprehensive cybersecurity services to protect your business from vulnerabilities like CVE-2025-24016. Our team performs in-depth risk assessments and vulnerability scanning to detect known and emerging weak controls. We analyze your security architecture holistically, identifying where controls might be refined to block modern, fast-moving threats. Our services also extend to incident response planning, ensuring that if an attacker does breach your defenses, you have a clear protocol in place for limiting damage and restoring trust.

Tanner’s managed detection and threat intelligence offerings add another layer of protection, continuously monitoring your environment for signs of intrusion or abnormal activity. By detecting malicious campaigns early, you stand a far better chance of containing the fallout and preserving your core operations.

Wazuh Server Vulnerability Conclusion

CVE-2025-24016 exemplifies the speed at which threat actors weaponize new vulnerabilities, particularly when public proof-of-concept resources are available. In the case of Wazuh Servers, it has served as a convenient launching point for Mirai-based botnets already infamous for orchestrating wide-ranging DDoS assaults. Businesses must treat this as a wake-up call: maintain strict patch management policies and leverage layered security measures to guard against opportunistic intrusions.

Botnet proliferation is unlikely to subside. Criminal groups are experienced at repurposing proven malware for emerging vulnerabilities, with very high success rates. Staying ahead of this curve depends on a company’s ability to respond decisively and implement solutions that reduce the overall attack surface.