CVE-2025-24016
Remote code execution in Wazuh server
In short
Wazuh servers before version 4.9.1 have a flaw that allows attackers with API access to run malicious code by sending specially crafted requests. This happens because the server unsafely processes data without proper validation.
Technical detail
CVE-2025-24016 is an unsafe deserialization vulnerability in Wazuh's DistributedAPI layer (framework/wazuh/core/cluster/common.py) where the `as_wazuh_object` function processes JSON-serialized parameters without sanitization. An attacker with API access (via compromised dashboard, cluster nodes, or agents in certain configurations) can inject a malicious dictionary containing an `__unhandled_exc__` exception object to achieve arbitrary Python code execution on the Wazuh server. The vulnerability affects versions 4.4.0 through 4.9.0.
Summary generated and translated by AI from the official description.
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.