Critical Vulnerability in Wazuh Server Enables Remote Attackers to Execute Malicious Code

 Critical Vulnerability in Wazuh Server Enables Remote Attackers to Execute Malicious Code

A critical remote code execution (RCE) vulnerability has been discovered in Wazuh Server, a widely-used open-source security platform for threat detection and compliance monitoring. This vulnerability, identified as CVE-2025-24016, allows remote attackers with API access to execute arbitrary Python code on the server, presenting a significant risk to affected systems. With a CVSS score of 9.9, the vulnerability is classified as highly critical.

Vulnerability Overview

The flaw arises from unsafe deserialization in the Wazuh API’s DistributedAPI (DAPI) component. Specifically, the issue lies in how parameters serialized as JSON are deserialized by the function as_wazuh_object in the file framework/wazuh/core/cluster/common.py.

An attacker can exploit this flaw by injecting an unsanitized dictionary into DAPI requests or responses, enabling the execution of arbitrary code on the server. One notable attack vector involves manipulating the run_as endpoint, where the auth_context argument can be crafted to trigger malicious requests leading to arbitrary code execution on the master server.

Additionally, compromised Wazuh agents, in certain configurations, can exploit this vulnerability by injecting malicious payloads into API requests.

Affected Versions

• Vulnerable Versions: Wazuh Manager versions 4.4.0 through 4.9.0.
• Patched Version: The issue is fixed in version 4.9.1 and later.

Potential Impact

Exploiting this vulnerability can allow attackers to:

• Execute arbitrary Python code remotely on the Wazuh server.
• Take control of or shut down Wazuh servers.
• Compromise Wazuh agents and use them to propagate attacks within a cluster.

Such attacks could severely impact the system's integrity, availability, and confidentiality, making it a significant concern for organizations that rely on Wazuh for threat monitoring and security.

Proof of Concept (PoC)

A publicly available PoC demonstrates how attackers can exploit this flaw by sending crafted JSON payloads via API requests. For example, a malicious request to the run_as endpoint can inject an unsanitized exception (__unhandled_exc__), which triggers the execution of arbitrary code.

Mitigation Steps

To protect against this vulnerability, organizations should:

1. Upgrade Immediately: Ensure the Wazuh Manager is updated to version 4.9.1 or later, where the issue has been patched.
2. Restrict API Access: Limit API access to trusted networks and enforce strong authentication measures to minimize the risk of unauthorized access.
3. Monitor Logs: Regularly monitor logs for suspicious activities, such as unusual API calls or unauthorized access attempts.
4. Harden Agent Configurations: Secure the configurations of Wazuh agents to prevent exploitation from compromised endpoints.

Organizations are strongly urged to implement these mitigation measures as soon as possible to reduce the risk of exploitation and protect their infrastructure from attackers leveraging CVE-2025-24016.

Conclusion

This vulnerability presents a serious security risk for Wazuh users. Organizations must act quickly to update their systems, limit API exposure, and strengthen security practices to avoid potential exploitation. Prompt action will help safeguard against the significant threats posed by this critical vulnerability.