Hackers Leverage Samsung MagicINFO and GeoVision IoT Vulnerabilities to Spread Mirai Botnet

07.05.2025

Hackers have been actively taking advantage of unpatched security flaws in outdated GeoVision Internet of Things devices to add them to the Mirai botnet. This botnet is commonly used to launch large-scale distributed denial of service attacks. The malicious activity was first identified by Akamai’s Security Intelligence and Response Team in early April 2025.

The attackers are exploiting two critical command injection vulnerabilities, tracked as CVE 2024 6047 and CVE 2024 11120. These flaws allow the execution of system commands by abusing a specific endpoint called DateSetting.cgi through a parameter named szSrvIpAddr. Once exploited, the attackers can remotely control the devices.

The compromised devices are being used to download and run a version of the Mirai malware designed for ARM-based systems, known as LZRD. This campaign also includes the use of other vulnerabilities such as a known issue in Hadoop YARN and a DigiEver flaw disclosed in late 2024. Researchers believe the operation may be connected to a threat group referred to as InfectedSlurs.

In a separate wave of attacks, a serious vulnerability in Samsung MagicINFO 9 Server has also been targeted. This flaw, identified as CVE 2024 7399, allows unauthorized users to write arbitrary files to the system. If exploited, it could lead to remote code execution by placing malicious files. Although a patch was released by Samsung in August 2024, the flaw became a target again after a proof of concept was made public in April 2025.

Security experts recommend replacing unsupported GeoVision devices and updating Samsung MagicINFO servers to version 21.1050 or higher. These measures are essential to prevent systems from being compromised and used in future botnet attacks.