CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2025-24016

CVSS 9.9v3.1pub. 2025-02-10upd. 2025-10-24

Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.

🤖 AI Analysis
How it works

DistributedAPI (DAPI) parameters are serialized as JSON and deserialized using the `as_wazuh_object` function in the file `framework/wazuh/core/cluster/common.py`. An attacker who manages to inject an unverified dictionary into a DAPI request or response can craft an unhandled exception (`__unhandled_exc__`), which during deserialization leads to arbitrary Python code execution. The vulnerability can be triggered by anyone with API access (e.g., via a compromised dashboard or another Wazuh server in the cluster), and in some configurations also by a compromised agent.

Impact

An attacker can remotely execute arbitrary code on the Wazuh server with process privileges, which in practice means full control over the server, potential breach of data confidentiality, system integrity, and availability.

Mitigation & patch

Wazuh must be urgently updated to version 4.9.1, which contains a patch eliminating the vulnerability. According to manufacturer references: https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh

Who is affected

Wazuh versions 4.4.0 to 4.9.0 (prior to version 4.9.1)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
  • Wazuh

    APP
    Wazuh
    4.4.0 – 4.9.1 (bez)

CISA KEV — detailsi

Vendori
Wazuh
Producti
Wazuh Server
Added to KEVi
June 10, 2025
Remediation deadline (US Federal)i
July 1, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Wazuh contains a deserialization of untrusted data vulnerability that allows for remote code execution on Wazuh servers.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 1 lipca 2025
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2026-30893CRITICAL9.0PL ✓ten sam produkt

Path Traversal w Wazuh umożliwiający RCE poprzez synchronizację klastra

CVE-2026-25770CRITICAL9.1PL ✓ten sam produkt

Wazuh: privilege escalation do root przez cluster protocol (RCE)

CVE-2026-25769CRITICAL9.1PL ✓ten sam produkt

RCE przez Deserialization w Wazuh — podatność klastra master/worker

CVE-2024-1243CRITICAL9.5PL ✓ten sam produkt

Wazuh Agent (Windows): wyciek hash NetNTLMv2 umożliwiający RCE i privilege escalation

CVE-2024-32038CRITICAL9.8PL ✓ten sam produkt

Buffer overflow w Wazuh Manager przy obsłudze znaków Unicode z Windows Eventchannel