Skip to main content

CVE-2025-24016: CWE-502: Deserialization of Untrusted Data in wazuh wazuh

Critical
VulnerabilityCVE-2025-24016cvecve-2025-24016cwe-502
Published: Mon Feb 10 2025 (02/10/2025, 19:08:09 UTC)
Source: CVE Database V5
Vendor/Project: wazuh
Product: wazuh

Description

Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.

AI-Powered Analysis

AILast updated: 07/10/2025, 20:02:50 UTC

Technical Analysis

CVE-2025-24016 is a critical remote code execution vulnerability affecting Wazuh versions from 4.4.0 up to, but not including, 4.9.1. Wazuh is an open-source security platform widely used for threat prevention, detection, and response. The vulnerability arises from unsafe deserialization of untrusted data within the DistributedAPI (DAPI) component. Specifically, parameters in DAPI are serialized as JSON and deserialized using the `as_wazuh_object` function located in `framework/wazuh/core/cluster/common.py`. An attacker who can inject a crafted unsanitized dictionary into a DAPI request or response can exploit this flaw by forging an unhandled exception (`__unhandled_exc__`) that triggers arbitrary Python code execution. This deserialization flaw is classified under CWE-502, which concerns unsafe deserialization of untrusted data leading to code execution. The vulnerability can be exploited remotely by any entity with API access, which includes users with compromised dashboards or cluster servers. In certain configurations, even a compromised Wazuh agent can trigger the exploit. The vulnerability has a CVSS v3.1 score of 9.9, reflecting its critical severity, with an attack vector of network (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and impacting confidentiality, integrity, and availability with a scope change (S:C). Although no known exploits are currently reported in the wild, the potential for severe impact is high. The issue was addressed in Wazuh version 4.9.1 by implementing proper input validation and safe deserialization practices to prevent arbitrary code execution.

Potential Impact

For European organizations, this vulnerability poses a significant risk due to Wazuh's popularity as a security monitoring and incident response tool. Successful exploitation could lead to full compromise of Wazuh servers, allowing attackers to execute arbitrary code remotely. This can result in unauthorized access to sensitive security data, manipulation or disabling of security monitoring, and lateral movement within the network. The compromise of Wazuh servers could undermine the entire security posture of an organization, leading to data breaches, disruption of operations, and loss of integrity in threat detection. Given that Wazuh is often deployed in clustered environments, the vulnerability could propagate across multiple nodes, amplifying the impact. European organizations in critical infrastructure sectors, finance, healthcare, and government are particularly at risk due to the strategic importance of their security monitoring capabilities. Additionally, the vulnerability’s ability to be triggered by compromised agents increases the attack surface, especially in environments with numerous distributed endpoints. The lack of required user interaction and the network-based attack vector make this vulnerability highly exploitable in real-world scenarios.

Mitigation Recommendations

European organizations should immediately upgrade all Wazuh deployments to version 4.9.1 or later, which contains the fix for this vulnerability. Until upgrades can be performed, organizations should restrict API access strictly to trusted users and systems, employing network segmentation and firewall rules to limit exposure. Implement strong authentication and authorization controls on the Wazuh API to prevent unauthorized access. Monitor API logs for unusual or malformed requests that could indicate exploitation attempts. Consider deploying Web Application Firewalls (WAFs) or API gateways with rules to detect and block suspicious serialized payloads. Review and harden cluster configurations to minimize the risk posed by compromised agents, including isolating agents and applying the principle of least privilege. Regularly audit and update security policies governing access to Wazuh components. Finally, conduct penetration testing and vulnerability scanning focused on Wazuh infrastructure to identify any residual risks or misconfigurations.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-01-16T17:31:06.458Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68487f501b0bd07c39389a49

Added to database: 6/10/2025, 6:54:08 PM

Last enriched: 7/10/2025, 8:02:50 PM

Last updated: 8/16/2025, 4:11:23 PM

Views: 16

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats