A critical vulnerability in Wazuh servers, tracked as CVE-2025-24016, is being actively exploited by Mirai botnets, posing a significant threat to organizations using the platform. The flaw, which has a CVSS score of 9.9, allows for remote code execution due to unsafe deserialization in the DistributedAPI parameters. This vulnerability affects Wazuh versions starting from 4.4.0 up to 4.9.0.
The vulnerability was publicly disclosed on February 10, 2025, and has since been added to CISA's Known Exploited Vulnerabilities (KEV) catalog on June 10, 2025. With an Exploit Prediction Scoring System (EPSS) score of 0.937, the likelihood of exploitation is extremely high, and the vulnerability has been exploited in the wild within 119 days of its disclosure.
Attackers leveraging this vulnerability can execute arbitrary code on unpatched Wazuh servers, potentially gaining full control over affected systems. This has made Wazuh servers a prime target for Mirai botnets, which are known for their ability to launch distributed denial-of-service (DDoS) attacks.
Currently, there is one known exploit and eight proof-of-concept (PoC) examples available, further increasing the risk for organizations that have not yet patched their systems. The vulnerability is categorized under CWE-502, which involves deserialization of untrusted data, a common vector for remote code execution attacks.
Organizations using Wazuh are urged to upgrade to version 4.9.1 or later, where the vulnerability has been addressed. Immediate attention is required to mitigate the risk, as indicated by the Security Severity Vulnerability Classification (SSVC) rating of 'attend.'
CSURFACE