Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.
DistributedAPI (DAPI) parameters are serialized as JSON and deserialized using the `as_wazuh_object` function in the file `framework/wazuh/core/cluster/common.py`. An attacker who manages to inject an unverified dictionary into a DAPI request or response can craft an unhandled exception (`__unhandled_exc__`), which during deserialization leads to arbitrary Python code execution. The vulnerability can be triggered by anyone with API access (e.g., via a compromised dashboard or another Wazuh server in the cluster), and in some configurations also by a compromised agent.
An attacker can remotely execute arbitrary code on the Wazuh server with process privileges, which in practice means full control over the server, potential breach of data confidentiality, system integrity, and availability.
Wazuh must be urgently updated to version 4.9.1, which contains a patch eliminating the vulnerability. According to manufacturer references: https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh
Wazuh versions 4.4.0 to 4.9.0 (prior to version 4.9.1)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:HWazuh
APPWazuh4.4.0 – 4.9.1 (bez)
CISA KEV — detailsi
- Vendori
- Wazuh
- Producti
- Wazuh Server
- Added to KEVi
- June 10, 2025
- Remediation deadline (US Federal)i
- July 1, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Wazuh contains a deserialization of untrusted data vulnerability that allows for remote code execution on Wazuh servers.
Related vulnerabilities
Path Traversal w Wazuh umożliwiający RCE poprzez synchronizację klastra
Wazuh: privilege escalation do root przez cluster protocol (RCE)
RCE przez Deserialization w Wazuh — podatność klastra master/worker
Wazuh Agent (Windows): wyciek hash NetNTLMv2 umożliwiający RCE i privilege escalation
Buffer overflow w Wazuh Manager przy obsłudze znaków Unicode z Windows Eventchannel