Active Mirai Exploitation Targets Retired GeoVision IoT Devices, No Fix Will Become Available

• A Mirai-based botnet dubbed "LZRD" is leveraging GeoVision vulnerabilities to install malware.
• The two flaws are being actively exploited for the first time since their disclosure in 2024.
• The affected GeoVision models are retired and will not be receiving further updates.

Attackers actively exploit command injection vulnerabilities in discontinued GeoVision Internet of Things (IoT) devices, escalating concerns about outdated technologies being targeted by botnets.

The identified exploited vulnerabilities are CVE-2024-6047 and CVE-2024-11120, linked to GeoVision devices, are being actively exploited for the first time since their disclosure in 2024, security researchers at Akamai say in a recent report.

A Mirai-based botnet dubbed "LZRD" is leveraging these vulnerabilities to install malware via the vulnerable /DateSetting.cgi endpoint.

Akamai’s global network of honeypots identified this activity beginning in April 2025. The attack involves injecting commands into the szSrvIpAddr parameter to download and execute malicious files.

The vulnerabilities allow unauthenticated remote attackers to inject and execute arbitrary system commands on GeoVision devices’ retired models, leveraging their outdated firmware. Attackers target the endpoint /DateSetting.cgi, injecting crafted inputs to install malware and establish control over the compromised system.

Once exploited, the attack downloads a Mirai variant named "boatnet" onto the devices. This malware is capable of executing several attack functions, such as TCP and UDP floods, often used in Distributed Denial-of-Service (DDoS) campaigns.

This specific botnet is not limited to exploiting GeoVision vulnerabilities. Akamai observed it attempting to exploit other known vulnerabilities, such as the Hadoop YARN, ZTE ZXV10 H108L Router exploit (CVE-2018-10561), and the DigiEver vulnerability, making it a multi-layered threat.

The investigation also revealed hard-coded command-and-control (C2) IP addresses within the malware’s architecture, further detailing its infrastructure. A unique banner message on certain C2 server ports provided additional clues for fingerprinting the botnet’s operations.

The continued use of retired and poorly secured IoT devices significantly expands the attack surface for cybercriminals. With no security updates available for these GeoVision models, businesses relying on outdated technology are especially vulnerable.