Wazuh Server Vulnerability (CVE-2025-24016) Exposes Systems to RCE Attacks
Security Advisory
Wazuh is an open-source security platform used for threat detection, incident response, and compliance monitoring.
This vulnerability affects Wazuh versions 4.4.0 through 4.9.0 and is caused by an unsafe deserialization flaw in the DistributedAPI component. Attackers with API access can inject malicious JSON payloads to execute arbitrary Python code remotely.
This flaw has been assigned a CVSS score of 9.9 and is patched in Wazuh version 4.9.1. Organizations running affected versions should update immediately to mitigate exploitation risks.
A Proof-of-Concept (PoC) exploit has been publicly disclosed, increasing the risk of active exploitation in the wild.
| OEM | Wazuh |
| Severity | Critical |
| CVSS | 9.9 |
| CVEs | CVE-2025-24016 |
| Exploited in Wild | No |
| Publicly POC Available | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
| Vulnerability Name | CVE ID | Product Affected | Severity | Patched Version |
| Remote Code Execution Vulnerability | CVE-2025-24016 | Wazuh | Critical | >= 4.9.1 |
Technical Summary
The vulnerability arises from unsafe deserialization in the DistributedAPI component of Wazuh. Parameters serialized as JSON and deserialized using the as_wazuh_object function in framework/wazuh/core/cluster/common.py. An attacker can exploit this by injecting an unsanitized dictionary into DAPI requests or responses, leading to the execution of an arbitrary Python code.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-24016 | Wazuh servers (versions 4.4.0 to 4.9.0) | Unsafe deserialization in the DistributedAPI component allows attackers with API access to inject malicious JSON payloads. This is due to the as_wazuh_object function in framework/wazuh/core/cluster/common.py not properly sanitizing input data. | Remote code execution on the server and Full system compromise |
Remediation:
- To mitigate the risk, it is recommended to upgrade Wazuh to v4.9.1 or later at the earliest.
General Recommendations:
- Restrict API Access: Limit API access to trusted networks and enforce strict authentication measures.
- Monitor Logs: Regularly inspect logs for suspicious activity, such as unauthorized API requests etc.
- Review Other Attack Vectors: Since as_wazuh_object is used in multiple areas, ensure all potential exploits are mitigated.
Conclusion:
CVE-2025-24016 is a critical vulnerability that poses significant risks to organizations using affected versions of Wazuh. Immediate action is required to patch the vulnerability and implement security best practices to protect against potential exploitation.
References:
- https://github.com/MuhammadWaseem29/CVE-2025-24016