Dead but Not Forgotten Discontinued IoT Devices Fall Prey to New Mirai Botnet

The Akamai Security Intelligence and Response Team (SIRT) has uncovered active exploitation of two previously disclosed vulnerabilities CVE-2024-6047 and CVE-2024-11120 targeting discontinued GeoVision Internet of Things (IoT) devices. This marks the first publicly observed use of these vulnerabilities since their initial disclosures in June and November 2024, respectively.

Detected through Akamai’s global network of honeypots in early April 2025, the exploit involves command injection attacks targeting the /DateSetting.cgi endpoint, specifically abusing the szSrvIpAddr parameter. When improperly sanitized, this parameter enables unauthenticated remote attackers to inject and execute system-level commands on affected devices.

Mirai Botnet

Akamai’s analysis revealed that attackers are deploying a Mirai-based malware variant dubbed LZRD, which is downloaded via the injection of a malicious command string. This variant displays a distinctive console message on execution and carries a suite of functions typical of Mirai strains, including multiple UDP and TCP-based attack methods.

Further investigation revealed a hardcoded command-and-control (C2) IP address embedded in the malware’s code, along with a C2 server banner message resembling previously identified infrastructure used by the InfectedSlurs botnet, also known as TBOTNET. This suggests potential overlap or evolution in botnet operations from previous campaigns observed in 2023 and early 2024.

In addition to the GeoVision vulnerabilities, the botnet also attempts to exploit several other known vulnerabilities, including:

• A Hadoop YARN exploit
• A ZTE ZXV10 H108L router vulnerability
• CVE-2018-10561
• A previously reported DigiEver vulnerability

Conclusion

These widespread attacks underscore the continuing threat posed by legacy IoT devices, which often remain unpatched or unsupported. Akamai emphasizes that the vulnerable GeoVision models are officially retired and will not receive security updates.

As part of its response, Akamai has published a set of Indicators of Compromise (IOCs) to aid defenders in detecting and mitigating these threats. The company warns that outdated IoT firmware remains a key target for cybercriminals seeking to expand botnets and conduct large-scale distributed denial-of-service (DDoS) attacks.

IOC

• 209.141.44.28
• 51.38.137.114
• 176.65.144.253
• 176.65.144.232
• 198.23.212.246

Source:hxxps[://]www[.]akamai[.]com/blog/security-research/active-exploitation-mirai-geovision-iot-botnet

Follow Cybersecurity88 on X and Linkedin for the latest cybersecurity news