CVE-2025-34294 identifies a time-of-check/time-of-use (TOCTOU) race condition in Wazuh's File Integrity Monitoring (FIM) feature when configured with automatic threat removal. The vulnerability arises because the Wazuh agent records an active-response action to delete a suspicious file but does not adequately synchronize or validate the final deletion target path before performing the deletion. This flaw allows a local attacker with low privileges to manipulate the file system state between the check and the deletion, causing the Wazuh service, which runs with NT AUTHORITY\SYSTEM privileges, to delete arbitrary files or directories specified by the attacker. This can lead to SYSTEM-level arbitrary file deletion and local privilege escalation. The root cause is insufficient synchronization and lack of robust final-path validation in the threat-removal workflow. The vulnerability requires local access and partial authentication but no user interaction. Wazuh attempted a partial fix via pull request 8697 in July 2025; however, the fix was incomplete, and the vulnerability remains exploitable. The CVSS 4.0 score is 7.1 (high severity), reflecting the significant impact on confidentiality, integrity, and availability, combined with the complexity of exploitation due to the need for local access and partial authentication. No known exploits have been reported in the wild as of the publication date.

For European organizations, this vulnerability poses a significant risk, especially those relying on Wazuh for endpoint security and file integrity monitoring. Exploitation can lead to unauthorized deletion of critical system or application files with SYSTEM-level privileges, resulting in potential denial of service, data loss, and local privilege escalation. This could allow attackers to further compromise affected systems, move laterally within networks, or disrupt critical business operations. Organizations in sectors with stringent regulatory requirements for data integrity and availability, such as finance, healthcare, and critical infrastructure, are particularly at risk. The vulnerability's exploitation requires local access, which may limit remote attack vectors but increases the risk from insider threats or attackers who have already gained limited footholds. The incomplete patch status means organizations must urgently assess their exposure and implement mitigations to prevent exploitation.

European organizations should immediately audit their Wazuh deployments to determine if automatic threat removal is enabled in the File Integrity Monitoring configuration. If enabled, consider disabling automatic threat removal until a complete and verified patch is available. Implement strict access controls and monitoring to limit local user privileges and detect suspicious activities indicative of exploitation attempts. Employ file system integrity monitoring and alerting outside of Wazuh to detect unauthorized file deletions. Regularly update Wazuh to the latest versions and monitor vendor communications for a complete patch addressing this vulnerability. Additionally, consider deploying host-based intrusion detection systems (HIDS) and endpoint detection and response (EDR) solutions to detect and respond to suspicious local activities. Conduct internal security awareness training to reduce insider threat risks and enforce the principle of least privilege to minimize the attack surface. Finally, implement robust backup and recovery procedures to mitigate the impact of potential data loss from arbitrary deletions.