Critical Vulnerability in Wazuh Server Enables Remote Attackers to Execute Malicious Code

A critical remote code execution (RCE) vulnerability has been discovered in the Wazuh server, a popular open-source security platform used for threat detection and compliance monitoring.

Identified as CVE-2025-24016, this flaw allows attackers with API access to execute arbitrary Python code on the server, posing a significant threat to affected systems. The vulnerability has been assigned a CVSS score of 9.9, reflecting its critical severity.

The issue stems from unsafe deserialization in the Wazuh API’s DistributedAPI component. Specifically, parameters serialized as JSON are deserialized using the as_wazuh_object function in the framework/wazuh/core/cluster/common.py file.

An attacker can exploit this by injecting an unsanitized dictionary into DistributedAPI (DAPI) requests or responses, enabling the execution of arbitrary code.

One notable attack vector involves the run_as endpoint, where the attacker can manipulate the auth_context argument to craft malicious requests.

These requests may lead to arbitrary code execution on the master server. Additionally, compromised Wazuh agents in certain configurations can exploit this vulnerability by injecting malicious payloads into API requests.

Affected Versions

• Vulnerable: Wazuh Manager versions 4.4.0 through 4.9.0.
• Patched: Version 4.9.1 and later.

The vulnerability allows attackers to:

1. Execute arbitrary Python code remotely.
2. Shut down or take control of Wazuh servers.
3. Exploit compromised agents to propagate attacks within a cluster.

Such attacks can compromise system integrity, availability, and confidentiality, making this a critical issue for organizations relying on Wazuh for security monitoring.

A publicly available PoC demonstrates how attackers can exploit this flaw using crafted JSON payloads sent via API requests. For example, a malicious request to the run_as endpoint can inject an unsanitized exception (__unhandled_exc__) that triggers arbitrary code execution.

Mitigation

To address this vulnerability:

1. Upgrade Immediately: Update to Wazuh version 4.9.1 or later, where the issue has been patched.
2. Restrict API Access: Limit API access to trusted networks and enforce strict authentication measures.
3. Monitor Logs: Regularly review logs for suspicious activity, such as unusual API calls or unauthorized access attempts.
4. Harden Agent Configurations: Secure Wazuh agents to prevent exploitation through compromised endpoints.

Organizations are strongly urged to implement these measures promptly to mitigate potential exploitation risks and safeguard their infrastructure from attackers leveraging CVE-2025-24016.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free

The post Critical Vulnerability in Wazuh Server Enables Remote Attackers to Execute Malicious Code appeared first on Cyber Security News.