The resurgence of the Mirai botnet has once again shaken the cybersecurity landscape, with a campaign targeting vulnerabilities in discontinued GeoVision IoT devices. These devices, which rely on outdated software, are exploited through two critical vulnerabilities—CVE-2024-6047 and CVE-2024-11120—disclosed in 2024. These vulnerabilities allow unauthenticated remote attackers to inject arbitrary commands, which facilitates malware propagation. Despite being known for months, the vulnerabilities had not been widely publicized until now, which may explain why many devices remain unpatched and vulnerable.
The exploit specifically targets the /DateSetting.cgi endpoint in the devices, injecting malicious commands into the parameter that fails to properly filter user input. The scope of the threat is particularly troubling because these IoT devices are no longer supported and will not receive security patches. This scenario highlights the ongoing problem in the IoT sector where older, unsupported devices remain in use, widening the attack surface for cybercriminals. Organizations now face the dilemma of either accepting the security risk or decommissioning functional devices to protect their networks.
Akamai researchers discovered this malicious activity through their global network of honeypots in early April 2025.
After investigation, they attributed the attacks to a Mirai-based malware variant named LZRD, which targets multiple vulnerabilities. The infection process begins when attackers send crafted HTTP requests to vulnerable GeoVision devices, injecting commands into the szSrvlpAddr parameter. This exploitation triggers the download and execution of an ARM-based Mirai malware file, which is often referred to as “boatnet” in various Mirai variants.
Further analysis revealed that the LZRD variant contains several attack methods, including UDP and TCP flood capabilities.
The malware communicates with a hard-coded command-and-control (C2) server, identified by its IP address, suggesting a potential link to other botnet campaigns. To defend against such threats, organizations should replace vulnerable devices, isolate IoT networks, and deploy intrusion detection systems to monitor for unusual traffic patterns linked to known C2 infrastructure.
Reference:
