Time-of-Check/Time-of-Use Race Condition in Wazuh File Integrity Monitoring
CVE-2025-34294

7.1HIGH

Key Information:

Vendor

Wazuh, Inc.

Status
Wazuh
Vendor
CVE Published:
28 October 2025

What is CVE-2025-34294?

A race condition in Wazuh's File Integrity Monitoring feature when configured with automatic threat removal allows local attackers to exploit insufficient synchronization. The issue arises when the agent records an active-response action but fails to validate the deletion target properly, leading to the risk of SYSTEM-level arbitrary file deletion. This vulnerability can enable attackers to manipulate the deletion process, resulting in unauthorized access and potential privilege escalation. An incomplete fix was attempted in pull request 8697 on July 10, 2025.

Affected Version(s)

Wazuh 0

References

https://wazuh.com/blog/detecting-and-responding-to-malici...
product
https://documentation.wazuh.com/current/user-manual/capab...
product
https://github.com/wazuh/wazuh-documentation/pull/8697
issue-tracking

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Eduardo PĂ©rez Malumbres Cervera from KPMG Spain
JSON
.
CVE-2025-34294 : Time-of-Check/Time-of-Use Race Condition in Wazuh File Integrity Monitoring