Potential attackers could exploit a critical flaw to remotely execute code by uploading what researchers from Akamai called an “unsanitized dictionary.”
The Mirai botnet, initially discovered back in August 2016, continues to be a nightmare for system defenders.
The Akamai Security Intelligence and Response Team (SIRT) has identified two campaigns of Mirai botnet variants that exploited a critical remote code execution (RCE) vulnerability against Wazuh servers.
Initially, the vulnerability was disclosed in February, and the Akamai SIRT first identified activity in March.
The flaw hasn’t been added to CISA’s Known Exploited Vulnerability (KEV) catalog despite being public for months.
The flaw (CVE-2025-24016) was disclosed in Wazuh, a free and open-source platform for threat prevention, detection, and response.
The vulnerability affects Wazuh 4.4.0 through 4.9.0, and the patch was released in version 4.9.1.
By exploiting the vulnerability, a remote attacker with API access could execute arbitrary code using a malicious JSON file.
“In the Wazuh API, parameters in the DistributedAPI are serialized as JSON, then deserialized using as_Wazuh_object in the framework/wazuh/core/cluster/common.py file. This can be exploited by injecting an unsanitized dictionary into DAPI requests, which can lead to evaluation of arbitrary Python code,” Akamai said.
Or, as we understand it, attackers can “simply” trick systems into running malicious Python code.
Researchers noted that the vulnerability only affects active Wazuh servers running outdated versions and urged users to update to Wazuh version 4.9.1 or later.
Your email address will not be published. Required fields are markedmarked