CVE-2025-24016 is a critical remote code execution vulnerability affecting Wazuh versions from 4.4.0 up to, but not including, 4.9.1. Wazuh is an open-source security platform widely used for threat prevention, detection, and response. The vulnerability arises from unsafe deserialization of untrusted data within the DistributedAPI (DAPI) component. Specifically, parameters in DAPI are serialized as JSON and deserialized using the `as_wazuh_object` function located in `framework/wazuh/core/cluster/common.py`. An attacker who can inject a crafted unsanitized dictionary into a DAPI request or response can exploit this flaw by forging an unhandled exception (`__unhandled_exc__`) that triggers arbitrary Python code execution. This deserialization flaw is classified under CWE-502, which concerns unsafe deserialization of untrusted data leading to code execution. The vulnerability can be exploited remotely by any entity with API access, which includes users with compromised dashboards or cluster servers. In certain configurations, even a compromised Wazuh agent can trigger the exploit. The vulnerability has a CVSS v3.1 score of 9.9, reflecting its critical severity, with an attack vector of network (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and impacting confidentiality, integrity, and availability with a scope change (S:C). Although no known exploits are currently reported in the wild, the potential for severe impact is high. The issue was addressed in Wazuh version 4.9.1 by implementing proper input validation and safe deserialization practices to prevent arbitrary code execution.

For European organizations, this vulnerability poses a significant risk due to Wazuh's popularity as a security monitoring and incident response tool. Successful exploitation could lead to full compromise of Wazuh servers, allowing attackers to execute arbitrary code remotely. This can result in unauthorized access to sensitive security data, manipulation or disabling of security monitoring, and lateral movement within the network. The compromise of Wazuh servers could undermine the entire security posture of an organization, leading to data breaches, disruption of operations, and loss of integrity in threat detection. Given that Wazuh is often deployed in clustered environments, the vulnerability could propagate across multiple nodes, amplifying the impact. European organizations in critical infrastructure sectors, finance, healthcare, and government are particularly at risk due to the strategic importance of their security monitoring capabilities. Additionally, the vulnerability’s ability to be triggered by compromised agents increases the attack surface, especially in environments with numerous distributed endpoints. The lack of required user interaction and the network-based attack vector make this vulnerability highly exploitable in real-world scenarios.

European organizations should immediately upgrade all Wazuh deployments to version 4.9.1 or later, which contains the fix for this vulnerability. Until upgrades can be performed, organizations should restrict API access strictly to trusted users and systems, employing network segmentation and firewall rules to limit exposure. Implement strong authentication and authorization controls on the Wazuh API to prevent unauthorized access. Monitor API logs for unusual or malformed requests that could indicate exploitation attempts. Consider deploying Web Application Firewalls (WAFs) or API gateways with rules to detect and block suspicious serialized payloads. Review and harden cluster configurations to minimize the risk posed by compromised agents, including isolating agents and applying the principle of least privilege. Regularly audit and update security policies governing access to Wazuh components. Finally, conduct penetration testing and vulnerability scanning focused on Wazuh infrastructure to identify any residual risks or misconfigurations.