CVE-2025-34294 identifies a time-of-check/time-of-use (TOCTOU) race condition vulnerability in Wazuh's File Integrity Monitoring (FIM) feature when configured with automatic threat removal. The vulnerability arises because the Wazuh agent records an active-response action to delete a suspicious file or path but does not adequately synchronize or validate the final deletion target before performing the deletion. This lack of robust final-path validation allows a local attacker with low privileges to manipulate the file system state between the check and the deletion operation, causing the Wazuh service, which runs with NT AUTHORITY\SYSTEM privileges on Windows, to delete arbitrary files or directories controlled by the attacker. This can lead to SYSTEM-level arbitrary file or folder deletion, enabling local privilege escalation and potential disruption of system integrity. The vulnerability is classified under CWE-367 (TOCTOU race condition). The vendor attempted a partial fix via pull request 8697 on 2025-07-10, but the fix was incomplete, leaving the vulnerability exploitable. The CVSS 4.0 vector indicates that the attack requires local access, high attack complexity, partial privileges, no user interaction, and results in high confidentiality, integrity, and availability impacts with scope change. No public exploits have been reported yet, but the risk remains significant due to the high privileges of the Wazuh service and the potential for local attackers to escalate privileges or disrupt critical files.

For European organizations, the impact of CVE-2025-34294 can be severe, especially for those relying on Wazuh for endpoint security and file integrity monitoring with automatic threat removal enabled. Exploitation can lead to arbitrary deletion of critical system or application files with SYSTEM-level privileges, resulting in local privilege escalation, potential denial of service, and loss of data integrity. This undermines the security posture of affected systems, potentially allowing attackers to disable security controls or manipulate logs and files to cover their tracks. Organizations in sectors with strict regulatory requirements for data integrity and system availability, such as finance, healthcare, and critical infrastructure, face increased compliance risks and operational disruptions. The vulnerability's requirement for local access limits remote exploitation but raises concerns for insider threats or attackers who have gained initial footholds. Given Wazuh's growing adoption in Europe for security monitoring, the vulnerability could affect a broad range of enterprises, increasing the risk of lateral movement and deeper compromise within networks.

European organizations using Wazuh should immediately audit their deployment configurations to determine if automatic threat removal is enabled in the File Integrity Monitoring module. If enabled, consider disabling automatic threat removal until a complete and verified patch is available. Apply any official patches or updates from Wazuh as soon as they are released, ensuring that the fix fully addresses the TOCTOU race condition. Implement strict access controls to limit local user privileges and reduce the risk of local exploitation. Employ host-based intrusion detection and monitoring to detect suspicious file deletion activities and anomalous behavior of the Wazuh service. Conduct regular integrity checks and maintain backups of critical files to enable recovery from unauthorized deletions. Additionally, review and harden endpoint security policies to minimize the risk of local attackers gaining initial access. Engage with Wazuh support or community channels to track the status of a complete fix and share threat intelligence related to this vulnerability.