Hackers Exploit Samsung MagicINFO and GeoVision IoT Vulnerabilities to Deploy Mirai Botnet

Cybercriminals are actively exploiting critical vulnerabilities in Samsung MagicINFO servers and GeoVision end-of-life (EoL) IoT devices, enlisting them into a powerful Mirai-based botnet used for large-scale Distributed Denial-of-Service (DDoS) attacks.

GeoVision IoT Devices Under Siege

The Akamai Security Intelligence and Response Team (SIRT) revealed in early April 2025 that attackers are targeting two high-severity OS command injection flaws — CVE-2024-6047 and CVE-2024-11120 (CVSS score: 9.8). These vulnerabilities enable threat actors to remotely execute arbitrary commands by exploiting the /DateSetting.cgi endpoint via the szSrvIpAddr parameter.

According to Akamai researcher Kyle Lefton, the malicious payload includes an ARM-based variant of the Mirai malware, dubbed LZRD, which gets downloaded and executed on compromised devices.

This attack campaign also involves the abuse of previously known flaws, such as:

• CVE-2018-10561 – A known Hadoop YARN vulnerability
• An undisclosed DigiEver flaw exposed in December 2024

Evidence suggests this campaign may be linked to a previously identified operation called InfectedSlurs.

“Attackers often target outdated IoT firmware and unpatched legacy devices, which are rarely maintained or updated by manufacturers,” Lefton stated.

Security Recommendation: Since GeoVision has discontinued support for the affected models, users are strongly advised to upgrade to newer, secure devices to prevent future compromise.

Samsung MagicINFO Vulnerability Weaponized

In parallel, cybersecurity experts from Arctic Wolf and the SANS Technology Institute have observed the exploitation of CVE-2024-7399 (CVSS score: 8.8), a path traversal vulnerability in Samsung MagicINFO 9 Server. The flaw allows unauthenticated attackers to write arbitrary files as SYSTEM, potentially leading to remote code execution (RCE).

Although Samsung patched the issue in August 2024, it is now being actively exploited following the release of a proof-of-concept (PoC) on April 30, 2025. The PoC leverages the flaw to drop a shell script that fetches and runs the Mirai malware.

“This vulnerability enables unauthenticated file writes that can be exploited to deploy malicious JSP files, effectively handing over control of the system to the attacker,” Arctic Wolf noted.

Security Recommendation: All users should immediately update to Samsung MagicINFO version 21.1050 or later to eliminate the risk of exploitation.

Final Thoughts

These latest botnet attacks underscore the urgent need for proactive IoT security, firmware patching, and regular vulnerability assessments. Devices running on legacy or unsupported software continue to pose a major threat to internet infrastructure, serving as easy targets for botnet operations like Mirai.

Stay protected—patch early, upgrade often, and monitor continuously.

Stay updated: Follow us for more cybersecurity insights and tips to safeguard your devices and networks.