Remote Code Execution in Wazuh due to Untrusted Data Deserialization
CVE-2026-25769

9.1CRITICAL

Key Information:

Vendor

Wazuh

Status
Wazuh
Vendor
CVE Published:
17 March 2026

Badges

🔥 Trending now📈 Trended📈 Score: 2,070👾 Exploit Exists🟡 Public PoC

What is CVE-2026-25769?

CVE-2026-25769 is a severe vulnerability identified in Wazuh, a popular open-source platform designed for security monitoring, threat detection, and incident response. This vulnerability arises from the deserialization of untrusted data, which can be exploited to execute remote code. Specifically, it affects Wazuh versions 4.0.0 through 4.14.2, particularly in environments utilizing a clustered setup with a master/worker architecture.

In a compromised worker node scenario—potentially due to various entry points such as insider threats, supply chain attacks, or initial access vulnerabilities—an attacker can escalate privileges to achieve full remote code execution on the master node. Given that Wazuh is often deployed for critical security tasks within organizations, the successful exploitation of this vulnerability could allow attackers to gain extensive control over security monitoring functions, potentially leading to severe ramifications for the integrity and confidentiality of organizational data.

Potential impact of CVE-2026-25769

  1. Full System Compromise: The ability to execute arbitrary code on the master node provides attackers with root-level access, enabling them to manipulate security policies, alter configurations, and disable monitoring capabilities. This extensive control poses significant risks to the entire organization’s cybersecurity posture.

  2. Data Breach Risk: With elevated privileges, attackers can exfiltrate sensitive data from the organization, undermining data integrity and confidentiality. This vulnerability could also facilitate the introduction of malicious payloads into the environment, leading to further breaches.

  3. Operational Disruption: The exploitation of this vulnerability could lead to serious disruptions in security operations. By compromising the master node, attackers can compromise Wazuh’s ability to monitor and respond to threats in real-time, potentially allowing other vulnerabilities or threats to go unnoticed.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

wazuh >= 4.0.0, < 4.14.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-25769---CVE-2026-25770
Created by Samres27

References

https://github.com/wazuh/wazuh/security/advisories/GHSA-3...
x_refsource_CONFIRM
https://drive.google.com/drive/folders/1WlkKNmHexz8212OVE...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 📈

    Vulnerability started trending

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

JSON
.