Remote Code Execution Vulnerability in Wazuh by Vulnerable Deserialization
CVE-2025-24016
Key Information:
Badges
What is CVE-2025-24016?
CVE-2025-24016 is a remote code execution vulnerability identified in the Wazuh platform, which is an open-source solution designed for threat detection, prevention, and response. The flaw arises from an unsafe deserialization process, allowing malicious actors with API access to execute arbitrary Python code on Wazuh servers. This vulnerability can be particularly damaging as it enables unauthorized remote code execution, potentially compromising the integrity and availability of the organization's security framework.
Technical Details
The vulnerability affects Wazuh versions from 4.4.0 up to, but not including, 4.9.1. The root cause lies in the way the DistributedAPI parameters are serialized as JSON and subsequently deserialized using the as_wazuh_object
method in the framework's core files. If an attacker can inject an untrusted dictionary into the DAPI request/response, they can create an unhandled exception that allows for the execution of arbitrary code. The vulnerability can be exploited by any user with API access, especially in scenarios involving compromised dashboards or servers within the Wazuh cluster.
Potential Impact of CVE-2025-24016
-
Unauthorized Remote Code Execution: Attackers can execute arbitrary code on affected Wazuh servers, leading to complete system compromise and control over security operations.
-
Data Breaches: The ability to run unverified code can result in unauthorized access to sensitive data, potentially leading to data leaks or theft, affecting organizational compliance and reputation.
-
Disruption of Security Services: Compromised Wazuh instances may cause failures in threat detection and response mechanisms, allowing undetected attacks and vulnerabilities to proliferate, ultimately undermining overall security posture.
CISA has reported CVE-2025-24016
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-24016 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
wazuh >= 4.4.0, < 4.9.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Week in review: Microsoft fixes exploited zero-day, Mirai botnets target unpatched Wazuh servers - Help Net Security
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Microsoft fixes zero-day exploited for cyber espionage
1 week ago
CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
CISA has added two new vulnerabilities to its KEV Catalog, based on evidence of active exploitation
2 weeks ago
Mirai Botnets Exploit Flaw in Wazuh Security Platform
The two campaigns are good examples of the ever-shrinking time-to-exploit timelines that botnet operators have adopted for newly published CVEs.
2 weeks ago
References
EPSS Score
91% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🦅
CISA Reported
- 💰
Used in Ransomware
- 📈
Vulnerability started trending
- 📰
First article discovered by SonicWall
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved