Mirai Botnet Reborn Targets Samsung Digital Signage and Vulnerable IoT Devices
A resurgence of the infamous Mirai botnet is underway, with attackers leveraging known vulnerabilities in end-of-life GeoVision Internet of Things (IoT) devices and Samsung MagicINFO digital signage to build their DDoS army. Security researchers are warning that unpatched systems are being actively recruited into the botnet, potentially leading to disruptive distributed denial-of-service attacks.
Bad news for owners of older GeoVision IoT devices: hackers are actively exploiting security holes in these end-of-life (EoL) devices. The goal? To add them to a Mirai botnet, which can then be used to launch crippling distributed denial-of-service (DDoS) attacks.
The Akamai Security Intelligence and Response Team (SIRT) first spotted this activity in early April 2025. It turns out, the attackers are leveraging two operating system command injection vulnerabilities – CVE-2024-6047 and CVE-2024-11120 – both with a scary CVSS score of 9.8. These flaws allow hackers to run pretty much any command they want on the compromised devices.
According to Akamai researcher Kyle Lefton, "The exploit targets the /DateSetting.cgi endpoint in GeoVision IoT devices, and injects commands into the szSrvIpAddr parameter." He shared this information in a report with The Hacker News.
So, what's happening once a device is compromised? The botnet injects commands to download and run an ARM version of the Mirai malware, known as LZRD.
This isn't the first time Mirai has been spotted exploiting vulnerabilities. Other bugs used by this botnet include a Hadoop YARN vulnerability (CVE-2018-10561) and a DigiEver flaw, previously highlighted in December 2024.
Interestingly, there's evidence suggesting this campaign overlaps with activity previously tracked under the name InfectedSlurs. It seems like these guys have been at it for a while.
Lefton points out a key strategy used by cybercriminals: "One of the most effective ways for cybercriminals to start assembling a botnet is to target poorly secured and outdated firmware on older devices." Makes sense, right?
He also notes a common problem: "There are many hardware manufacturers who do not issue patches for retired devices (in some cases, the manufacturer itself may be defunct)." Ouch. That leaves users in a tough spot.
Since these GeoVision devices are unlikely to get any new security updates, the best advice is to upgrade to a newer model. It's the most effective way to protect yourself from becoming part of this botnet.
Samsung MagicINFO Flaw Also Exploited in Mirai Attacks
And the news doesn't stop there. Arctic Wolf and the SANS Technology Institute are warning about active exploitation of CVE-2024-7399, a path traversal vulnerability in Samsung MagicINFO 9 Server. With a CVSS score of 8.8, this flaw allows attackers to write arbitrary files with system privileges, ultimately leading to Mirai botnet infections.
Samsung addressed this issue back in August 2024. However, the vulnerability has now been weaponized after a proof-of-concept (PoC) was released on April 30, 2025. This PoC allows attackers to retrieve and execute a shell script that downloads the botnet.
"The vulnerability allows for arbitrary file writing by unauthenticated users, and may ultimately lead to remote code execution when the vulnerability is used to write specially crafted JavaServer Pages (JSP) files," Arctic Wolf explained.
The recommendation? Update your Samsung MagicINFO 9 Server instances to version 21.1050 or later to avoid potential problems.
