Threat actors have been observed actively exploiting security flaws in GeoVision end-of-life (EoL) Internet of Things (IoT) devices to corral them into a Mirai botnet for conducting distributed denial-of-service (DDoS) attacks.
The activity, first observed by the Akamai Security Intelligence and Response Team (SIRT) in early April 2025, involves the exploitation of two operating system command injection flaws (CVE-2024-6047 and CVE-2024-11120, CVSS scores: 9.8) that could be used to execute arbitrary system commands.
"The exploit targets the /DateSetting.cgi endpoint in GeoVision IoT devices, and injects commands into the szSrvIpAddr parameter," Akamai researcher Kyle Lefton said in a report shared with The Hacker News.
In the attacks detected by the web security and infrastructure company, the botnet has been found injecting commands to download and execute an ARM version of the Mirai malware called LZRD.
Some of the vulnerabilities exploited by the botnet include a Hadoop YARN vulnerability, CVE-2018-10561, and a bug impacting DigiEver that was highlighted in December 2024.
There is some evidence to suggest that the campaign overlaps with previously recorded activity under the name InfectedSlurs.
"One of the most effective ways for cybercriminals to start assembling a botnet is to target poorly secured and outdated firmware on older devices," Lefton said.
"There are many hardware manufacturers who do not issue patches for retired devices (in some cases, the manufacturer itself may be defunct)."
Given that the affected GeoVision devices are unlikely to receive new patches, it's recommended that users upgrade to a newer model to safeguard against potential threats.
Samsung MagicINFO Flaw Exploited in Mirai Attacks
The disclosure comes as Arctic Wolf and the SANS Technology Institute warned of active exploitation of a vulnerability associated with Samsung MagicINFO 9 Server to deliver the Mirai botnet, shortly after the release of a proof-of-concept (PoC) by SSD Disclosure on April 30, 2025.
While the activity was initially assessed to be associated with CVE-2024-7399 (CVSS score: 8.8), a path traversal flaw in Samsung MagicINFO 9 Server that could enable an attacker to write arbitrary files as system authority, it has since become clear the PoC is for a separate vulnerability that remains unpatched to date.
"The vulnerability described in the [PoC] allows unauthenticated threat actors to write arbitrary files to the server, which can lead to remote code execution if specially crafted JavaServer Pages (JSP) files are uploaded," Arctic Wolf said.
That a new flaw is behind the exploitation is bolstered by evidence from cybersecurity firm Huntress that even the latest version of Samsung MagicINFO 9 Server is susceptible to the PoC, and that it has observed in-the-wild abuse targeting the latest version of the content management system used to control digital signage displays.
"It can only be concluded that the patch from August 2024 was either incomplete or for a separate, but similar, vulnerability," researchers Jai Minton and Craig Sweeney said in a report published on May 7, 2025.
When reached for comment, the Arctic Wolf Labs team told The Hacker News that the new findings suggest that there is an unresolved vulnerability being exploited in the wild that affects the latest release of Samsung MagicINFO 9 (version 21.1050.0).
"At this time, the only reliable mitigation for this issue is to remove potentially affected services from the public internet," it added.
The Hacker News has reached out to Samsung for further comment, and we will update the story if we hear back.
Update
The U.S. Cybersecurity and Infrastructure Security Agency, in a related update, added the two GeoVision flaws to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by May 28, 2025, or discontinue use of the products if mitigations are unavailable.
(The story was updated after publication to include new findings from Huntress that the exploitation activity targeting Samsung MagicINFO 9 Server involves a new security flaw.)
