Threat actors have been observed to actively harness security flaws on Geovision’s End of the Apocalypse (EOL) Internet of Things (IoT) devices and surround them with Mirai BotNet to introduce distributed denial (DDOS) attacks.
Activities first observed by the Akamai Security Intelligence Unresponsive Team (SIRT) in early April 2025 include the exploitation of two operating system command injection flaws (CVE-2024-6047 and CVE-2024-11120, CVSS score: 9.8) that can be used to execute any system command.
“The exploit targets the endpoint of the /date set of GeoVision IoT devices and injects commands into the SZSRVIPADDR parameter,” Akamai researcher Kyle Lefton said in a report shared with Hacker News.
The attack detected by the Web Security and Infrastructure Company was found to inject commands to download and run the ARM version of the Mirai malware called LZRD.
Vulnerabilities exploited by botnets include Hadoop Yarn vulnerabilities, CVE-2018-10561, and bugs that affect Digiever, highlighted in December 2024.
There is some evidence to suggest that the campaign is duplicated with the name of infected under the previously recorded activity.
“One of the most effective ways for cybercriminals to start assembling a botnet is to target fully secure and outdated firmware on older devices,” Lefton said.
“There are many hardware manufacturers that don’t issue patches to retired devices (in some cases, the manufacturers themselves may be discontinued).
Given that affected Geovision devices are unlikely to receive new patches, we recommend that users upgrade to a new model to protect against potential threats.
Samsung Magicinfo flaws were exploited in Mirai attacks
This disclosure comes when Arctic Wolf and the SANS Technology Institute warn about the active use of CVE-2024-7399 (CVSS score: 8.8).
This issue was addressed by Samsung in August 2024, but was weaponized by an attacker following the release of the Proof of Concept (POC) on April 30, 2025, and was then retrieved and executed a shell script responsible for downloading the botnet.
“Vulnerabilities allow for arbitrary file descriptions by uncertified users, and if the vulnerability is used to write specially created Javaserver page (JSP) files, it can ultimately lead to remote code execution,” Arctic Wolf said.
Users are encouraged to update their instances to version 21.1050 or later to mitigate potential operational impact.
Source link
