Threat actors are actively targeting Wazuh servers running software version 4.4.0 by exploiting a vulnerability that enables them to install Mirai botnets. These botnets facilitate distributed denial of service (DDoS) attacks against victims and execute malicious payloads on the compromised Wazuh servers. To learn how to protect your systems against the Mirai botnet attack, continue reading this Cybersecurity Threat Advisory.
What is the threat?
Threat actors actively exploit a vulnerability in the Wazuh server’s API parameters. Research shows that the distributed API deserialized within the framework using a Python file, which attackers then injected with malicious payloads to execute shell scripts. In the first instance of exploitation, the arbitrary code executed a shell script that downloaded the Mirai botnet payload from the external server “176[.]65[.]134[.]62.” The second exploit involved a shell script that downloaded a variant of the Mirai botnet known as Resbot. Fortunately, Wazuh addressed this vulnerability with the release of version 4.9.1 of its server software. Before this patch, attackers executed the two most recent exploits in March and May of 2025.
Why is this noteworthy?
A patch addressing the Mirai botnet vulnerabilities was released in February 2025, along with details about the flaws in the previous software version 4.4.0. By the end of March 2025, threat actors began exploiting the identified vulnerabilities, specifically targeting CVE-2025-24016. Without proper measures in place to prevent downtime, such as load balancing or redundancy, legitimate users may experience server outages that can significantly impact a company’s bottom line. Client-facing servers typically host websites, manage user authentication, run email servers, and support customer service channels. As of 2023, the average cost of a DDoS attack reached $6,000 per minute of downtime. With an average service downtime of 68 minutes, companies could face an average cost of $408,000 for a typical DDoS attack.
What is the exposure or risk?
Businesses running Wazuh servers on outdated software versions, as well as those using Huawei routers, TrueOnline routers, or Realtek SDKs, face significant risks from these attacks. Organizations must remain vigilant about the increasing trend of botnet attacks. Notable trends include embedding malicious botnet payloads in networking devices before they are shipped to customers, targeting IoT devices that lack regular firmware updates, and executing API flooding DDoS attacks. All organizations that do not implement robust patch management processes expose themselves to a heightened risk of botnet attacks as attackers grow more sophisticated and new exploits continue to emerge.
What are the recommendations?
Barracuda recommends the following actions to keep your servers secure:
- Conduct regular patch management to prevent the exposure of vulnerable servers and endpoints.
- Create redundancy within the organization to reduce the impact of downtime caused by an attack.
- Conduct regular scans to ensure there are no irregular processes or files uploaded.
- Implement an Intrusion Detection or Prevention System to monitor network traffic, such as Barracuda Managed XDR Network Security.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2025/06/botnet-wazuh-server-vulnerability.html
- https://thehackernews.com/2025/01/mirai-botnet-launches-record-56-tbps.html
- https://thehackernews.com/2023/02/new-mirai-botnet-variant-v3g4.html
- https://www.perimeter81.com/blog/network/ddos-attack-cost
- https://www.zayo.com/newsroom/average-ddos-attack-cost-businesses-nearly-half-a-million-dollars-in-2023-according-to-new-zayo-data/
- https://www.theregister.com/2025/06/10/critical_wazuh_bug_exploited_in/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.