Akamai’s Security Intelligence and Response Team (SIRT) has uncovered a fresh campaign of Mirai botnet attacks exploiting outdated Samsung and GeoVision IoT devices. The attackers are using two severe OS command injection vulnerabilities — CVE-2024-6047 and CVE-2024-11120 — to execute arbitrary commands and enlist these devices into their botnet for DDoS operations.
Both flaws have a CVSS score of 9.8, marking them as critical. The attack focuses on the /DateSetting.cgi endpoint in GeoVision firmware, specifically targeting the szSrvIpAddr parameter to inject malicious commands. These exploits allow the attackers to download and run a custom Mirai variant called LZRD, built for ARM-based systems.
According to Akamai’s Kyle Lefton, the campaign likely connects with earlier malicious activity under the name InfectedSlurs. The attackers are also recycling other known vulnerabilities, such as CVE-2018-10561 in Hadoop YARN and a DigiEver bug identified in late 2024.
GeoVision’s devices involved in these attacks are classified as end-of-life (EoL), meaning they no longer receive security patches or updates. This makes them prime targets for cybercriminals. As a result, users with outdated GeoVision hardware are urged to upgrade to newer models that receive regular security support.
Lefton emphasized the ongoing risk: “One of the most effective ways for cybercriminals to start assembling a botnet is to target poorly secured and outdated firmware on older devices. Many manufacturers don’t issue updates for retired hardware — and some no longer exist.”
Samsung MagicINFO Servers Also Compromised by Mirai Botnet Attacks
While GeoVision devices are under siege, another front in the war against Mirai botnet attacks is emerging. Arctic Wolf and the SANS Technology Institute have confirmed that a path traversal vulnerability in Samsung’s MagicINFO 9 Server, tracked as CVE-2024-7399, is also being actively exploited.
This flaw carries a CVSS score of 8.8 and allows unauthenticated attackers to write arbitrary files on the server. If exploited correctly, it enables remote code execution by uploading malicious JavaServer Pages (JSP) files. These payloads download and install Mirai malware onto the target system.
Although Samsung issued a patch in August 2024, attackers only began widespread abuse after a proof-of-concept (PoC) exploit surfaced online on April 30, 2025. Since then, cybersecurity experts have observed real-world attacks, often involving shell scripts that directly install the botnet.
Users of MagicINFO 9 are advised to upgrade to version 21.1050 or later to mitigate this risk. Arctic Wolf warned that failure to patch could result in significant operational disruption, as infected systems may be absorbed into global DDoS botnets controlled by threat actors.
These incidents reveal a broader trend in cyberattacks — the increasing use of automated malware to exploit known vulnerabilities in IoT and enterprise systems. The Mirai botnet, originally discovered in 2016, remains one of the most popular choices among attackers because of its adaptability and wide-scale impact.
Patch Early, Replace Legacy Systems
The current wave of Mirai botnet attacks is another stark reminder of the importance of timely patching and hardware lifecycle management. End-of-life devices and unpatched software are often low-hanging fruit for attackers, making them easy targets for widespread exploitation.
Cybersecurity experts recommend that all organizations:
- Regularly update device firmware and software.
- Decommission outdated IoT and enterprise devices.
- Monitor public vulnerability databases for emerging threats.
- Use network segmentation and firewalls to isolate critical systems.
With threat actors showing no signs of slowing down, proactive defenses and quick responses are essential in mitigating these ever-evolving attacks.
