A new Mirai-based botnet malware variant, Aquabotv3, has been observed actively exploiting CVE-2024-41710, a command injection vulnerability in Mitel SIP phones. This latest attack campaign was discovered by Akamai’s Security Intelligence and Response Team (SIRT), which reports that Aquabotv3 is the third known iteration of the Aquabot malware family.
Evolution of Aquabot
Aquabot first emerged in 2023, with a second variant introducing persistence mechanisms shortly afterward. The latest version, Aquabotv3, brings a new feature that detects process termination attempts and reports them to the command-and-control (C2) server.
Akamai notes that this capability is unusual for botnets, suggesting that Aquabotv3’s operators may be using it to monitor and counteract interference from security tools.
Reporting process kill attempts to the C2
Source: Akamai
Targeting Mitel SIP Phones
Aquabotv3 is exploiting CVE-2024-41710, a command injection vulnerability affecting:
- Mitel 6800 Series SIP Phones
- Mitel 6900 Series SIP Phones
- Mitel 6900w Series SIP Phones
These devices are widely used in corporate offices, enterprises, government agencies, hospitals, educational institutions, hotels, and financial institutions.
The vulnerability is rated medium severity and allows an authenticated attacker with admin privileges to execute arbitrary commands via argument injection during the boot process.
Exploitation of CVE-2024-41710
- Mitel released patches and a security advisory on July 17, 2024, urging users to update.
- Two weeks later, security researcher Kyle Burns published a proof-of-concept (PoC) exploit on GitHub.
- Aquabotv3 is the first documented malware leveraging this PoC exploit in active attacks.
“Akamai SIRT detected exploit attempts targeting this vulnerability through our global network of honeypots in early January 2025 using a payload almost identical to the PoC,” Akamai researchers stated.