CVE-2025-24016: Critical Remote Code Execution Vulnerability in Wazuh (4.4. - 4.9.1)

Wazuh, a popular free and open-source platform for threat prevention, detection, and response has a critical vulnerability in versions 4.4. to 4.9. that allows remote code execution (RCE) on victim's Wazuh servers. This vulnerability, assigned CVE-2025-24016, occurs due to unsafe deserialization and can lead to arbitrary code execution by injecting an unsanitized dictionary in a DAPI request/response. Any attacker with API access or a compromised agent in specific configurations can exploit this flaw.

Wazuh has resolved the issue in version 4.9.1. Users are advised to update their Wazuh instances to the latest version to mitigate the risk posed by this vulnerability.

Exploit Details

The vulnerability arises because the DistributedAPI parameters are serialized as JSON and deserialized using as_wazuh_object (in framework/wazuh/core/cluster/common.py). If an attacker can inject an unsanitized dictionary in a DAPI request/response, they can forge an unhandled exception (__unhandled_exc__) to evaluate arbitrary Python code.

The following code snippet demonstrates the process

# framework/wazuh/core/cluster/common.py
...
class WazuhJSONEncoder(json.JSONEncoder):
    def default(self, o):
        if isinstance(o, WazuhCommon):
            WazuhJSONEncoders[o.__class__.__name__] = o.__class__
            return {"__wazuh_type__": o.__class__.__name__, "__wazuh_obj__": o}
        return super().default(o)

def as_wazuh_object(dct):
    if "__wazuh_type__" in dct and "__wazuh_obj__" in dct:
        return WazuhJSONEncoders[dct["__wazuh_type__"]].from_dict(dct["__wazuh_obj__"])
    if "__unhandled_exc__" in dct and "__wazuh_exc__" in dct:
        raise WazuhClusterError(dct["__unhandled_exc__"],
                                f'{"".join([elm for elm in dct["__wazuh_exc__"]])}')
    return dct
...

Impact

An attacker who successfully exploits this vulnerability can execute arbitrary code on the victim's Wazuh server, leading to unauthorized access, data exfiltration, and even a full system compromise.

Affected Versions

Wazuh versions 4.4. to 4.9. are affected by this vulnerability.

Solution and Recommendations

The vulnerability has been fixed in Wazuh version 4.9.1. Users are strongly recommended to immediately update their Wazuh instances to the latest version available.

The official Wazuh repository is available at the following link: Wazuh Repository on GitHub

To assist in upgrading, users can consult the official Wazuh Upgrade Documentation.

Additional Security Considerations

In addition to upgrading Wazuh, users should take the following measures to improve their overall security posture:

Regularly audit access logs and system configurations.

By acting promptly on this vulnerability and maintaining a robust security posture, users can help to defend against this and future threats.

Timeline

Published on: 02/10/2025 20:15:42 UTC