Remote Code Execution Vulnerability in Wazuh by Vulnerable Deserialization
CVE-2025-24016
Key Information:
Badges
What is CVE-2025-24016?
CVE-2025-24016 is a remote code execution vulnerability identified in the Wazuh platform, which is an open-source solution designed for threat detection, prevention, and response. The flaw arises from an unsafe deserialization process, allowing malicious actors with API access to execute arbitrary Python code on Wazuh servers. This vulnerability can be particularly damaging as it enables unauthorized remote code execution, potentially compromising the integrity and availability of the organization's security framework.
Technical Details
The vulnerability affects Wazuh versions from 4.4.0 up to, but not including, 4.9.1. The root cause lies in the way the DistributedAPI parameters are serialized as JSON and subsequently deserialized using the as_wazuh_object method in the framework's core files. If an attacker can inject an untrusted dictionary into the DAPI request/response, they can create an unhandled exception that allows for the execution of arbitrary code. The vulnerability can be exploited by any user with API access, especially in scenarios involving compromised dashboards or servers within the Wazuh cluster.
Potential Impact of CVE-2025-24016
-
Unauthorized Remote Code Execution: Attackers can execute arbitrary code on affected Wazuh servers, leading to complete system compromise and control over security operations.
-
Data Breaches: The ability to run unverified code can result in unauthorized access to sensitive data, potentially leading to data leaks or theft, affecting organizational compliance and reputation.
-
Disruption of Security Services: Compromised Wazuh instances may cause failures in threat detection and response mechanisms, allowing undetected attacks and vulnerabilities to proliferate, ultimately undermining overall security posture.
Affected Version(s)
wazuh >= 4.4.0, < 4.9.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
GBHackers NewsCVE-2025-24016Wazuh SIEM Vulnerability Enables Remote Malicious Code Execution
A critical vulnerability, identified as CVE-2025-24016, has been discovered in the Wazuh Security Information and Event Management (SIEM) platform.
Last Week in Security (LWiS) - 2025-02-25
ADIDNS Parser (@the_bit_diddler), Parallels LPE (@patch1t), PowerChell (@itm4n), SACL Scanner (Alexander DeMine of @SpecterOps), and more! Last Week in Security is a summary of the interesting cybersecurity...
Critical Wazuh RCE Vulnerability (CVE-2025-24016): Risks, Exploits and Remediation
Overview SonicWall Capture Labs threat research team has become aware of a critical remote code execution (RCE) vulnerability in Wazuh Server (CVE-2025-24016) and has implemented mitigating measures. Wazuh is...
References
EPSS Score
76% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 📈
Vulnerability started trending
- 📰
First article discovered by SonicWall
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved