The Akamai Security Intelligence and Response Team (SIRT) has identified active exploitation of command injection vulnerabilities in discontinued GeoVision Internet of Things (IoT) devices.
The vulnerabilities, tracked as CVE-2024-6047 and CVE-2024-11120, were initially disclosed in June and November 2024, respectively, but had limited public information until now.
Akamai SIRT first detected suspicious activity targeting these flaws in early April 2025 through their global network of honeypots, marking the first documented exploitation of these vulnerabilities since their disclosure.
.png
)
%20function.webp)
The primary target of these attacks is the /DateSetting.cgi endpoint, where unauthenticated remote attackers can inject arbitrary system commands via the szSrvIpAddr parameter due to inadequate input filtering in certain retired GeoVision models.
This critical flaw enables attackers to execute malicious payloads on vulnerable systems, posing a significant risk to organizations still using these outdated devices.
Mirai Variant LZRD and Botnet Tactics Exposed
The exploiting botnet, identified as a Mirai-based variant named LZRD, leverages these vulnerabilities to download and execute an ARM-based malware file dubbed “boatnet.”
Akamai’s analysis revealed that the botnet injects commands to fetch this malware from a malicious IP (176.65.144.253) and execute it on compromised devices, as seen in payloads targeting the GeoVision endpoint.
The LZRD variant is further distinguished by unique console strings printed upon execution and a suite of attack functions consistent with other Mirai strains, including methods like attack_tcp_syn and attack_udp_custom.
Additionally, Akamai uncovered hard-coded command and control (C2) IP addresses within the malware, alongside a banner message on C2 server ports reminiscent of the InfectedSlurs botnet reported in 2023.
Beyond GeoVision devices, this botnet also exploits other known vulnerabilities, such as those in Hadoop YARN, ZTE ZXV10 H108L routers, and DigiEver systems, highlighting its broad attack surface.
The persistence of Mirai-based threats underscores the danger of unpatched, retired IoT hardware, which remains a prime target for cybercriminals building expansive botnets.
Akamai notes that since GeoVision has confirmed these affected models are discontinued and will not receive updates, organizations are urged to decommission such devices and upgrade to supported hardware to mitigate risks.
The Akamai SIRT continues to monitor this evolving threat landscape and has provided a comprehensive list of indicators of compromise (IOCs) to aid defenders in identifying and blocking related malicious activity.
Indicators of Compromise (IOCs)
| Type | Details |
|---|---|
| IPv4 Addresses | 209.141.44.28, 51.38.137.114, 176.65.144.253, 176.65.144.232, 198.23.212.246 |
| C2 Domain | connect.antiwifi.dev |
| SHA256 Hashes (Sample) | f05247a2322e212513ee08b2e8513f4c764bde7b30831736dfc927097baf6714, 11c0447f524d0fcb3be2cd0fbd23eb2cc2045f374b70c9c029708a9f2f4a4114 (and more) |
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
