Remote Code Execution Vulnerability in Wazuh by Vulnerable Deserialization
CVE-2025-24016

9.9CRITICAL

Key Information:

Vendor
Wazuh
Status
Wazuh
Vendor
CVE Published:
10 February 2025

Badges

📈 Score: 1,810👾 Exploit Exists🟡 Public PoC📰 News Worthy

What is CVE-2025-24016?

CVE-2025-24016 is a remote code execution vulnerability identified in the Wazuh platform, which is an open-source solution designed for threat detection, prevention, and response. The flaw arises from an unsafe deserialization process, allowing malicious actors with API access to execute arbitrary Python code on Wazuh servers. This vulnerability can be particularly damaging as it enables unauthorized remote code execution, potentially compromising the integrity and availability of the organization's security framework.

Technical Details

The vulnerability affects Wazuh versions from 4.4.0 up to, but not including, 4.9.1. The root cause lies in the way the DistributedAPI parameters are serialized as JSON and subsequently deserialized using the as_wazuh_object method in the framework's core files. If an attacker can inject an untrusted dictionary into the DAPI request/response, they can create an unhandled exception that allows for the execution of arbitrary code. The vulnerability can be exploited by any user with API access, especially in scenarios involving compromised dashboards or servers within the Wazuh cluster.

Potential Impact of CVE-2025-24016

  1. Unauthorized Remote Code Execution: Attackers can execute arbitrary code on affected Wazuh servers, leading to complete system compromise and control over security operations.

  2. Data Breaches: The ability to run unverified code can result in unauthorized access to sensitive data, potentially leading to data leaks or theft, affecting organizational compliance and reputation.

  3. Disruption of Security Services: Compromised Wazuh instances may cause failures in threat detection and response mechanisms, allowing undetected attacks and vulnerabilities to proliferate, ultimately undermining overall security posture.

Affected Version(s)

wazuh >= 4.4.0, < 4.9.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-24016
Created by 0xjessie21

News Articles

favicon imageSonicWall

Critical Wazuh RCE Vulnerability (CVE-2025-24016): Risks, Exploits and Remediation

Overview SonicWall Capture Labs threat research team has become aware of a critical remote code execution (RCE) vulnerability in Wazuh Server (CVE-2025-24016) and has implemented mitigating measures. Wazuh is...

16 hours ago

References

https://github.com/wazuh/wazuh/security/advisories/GHSA-h...
x_refsource_CONFIRM

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • 📰

    First article discovered by SonicWall

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.