Hackers are taking advantage of old, unsupported GeoVision smart devices called IOT devices to force them into a network of infected devices known as the Mirai botnet. These botnets are used to launch powerful cyberattacks called DDoS attacks, which can overload and crash websites or online services.
Security experts at Akamai first detected this hacking activity in early April 2025. The hackers are using two serious security vulnerabilities named CVE-2024-6047 and CVE-2024-11120, both rated very dangerous, to take control of these devices.
The attack works by sending malicious commands to a part of the device’s system called “/DateSetting.cgi” and hiding those commands inside a field called “szSrvIpAddr,” tricking the device into running them.
In these attacks, the hackers are using the infected devices to download and run a version of the Mirai malware called LZRD, which is made to work on certain types of processors called RAM processors.
To spread the malware, the attackers also use other known security flaws, including:
A weakness in Hadoop YARN,
A vulnerability called CVE-2018-10561 and
A bug in DigiEver devices reported in December 2024.
There are signs that this hacking campaign might be connected to an earlier set of attacks known as InfectedSlurs.
One of the easiest ways for hackers to build a botnet is by attacking old devices that have weak security and outdated software, said researcher Kyle Lefton.
Many companies that make these devices don’t release updates or fixes once the devices are no longer sold. In some cases, the company may have even shut down completely.
Since the old GeoVision devices probably won’t get any security updates, it’s best for users to switch to a newer model to stay protected from attacks.
Security experts from Arctic Wolf and the SANS Institute have identified that cybercriminals are actively taking advantage of a vulnerability, CVE-2024-7399, found in the Samsung MagicINFO 9 server to distribute the Mirai botnet.
This flaw, which was fixed by Samsung in August 2024, lets attackers write any files they want on the system, even if they aren’t logged in. Hackers began using it more after a proof-of-concept or PoC was shared online on April 30, 2025.
Using this weakness, attackers can run a script that downloads the Mirai botnet. According to Arctic Wolf, the flaw could allow hackers to take over the system by placing specially made files called JSP files that let them run their own code remotely.
Users are advised to update their software to version 21.1050 or newer to help protect their systems and avoid possible problems caused by security flaws.
