Wazuh, a widely used open-source security platform for threat detection and compliance monitoring, has been found to contain a critical Remote Code Execution (RCE) vulnerability. Identified as CVE-2025-24016, this flaw allows attackers with API access to execute arbitrary Python code on the server, posing a significant risk to affected systems.

Severity and Impact

This vulnerability has been assigned a CVSS score of 9.9 (Critical) due to its potential for system compromise. Exploiting this flaw could enable attackers to:

  • Execute arbitrary Python code remotely.

  • Shut down or take control of Wazuh servers.

  • Compromise agents to propagate attacks across the Wazuh cluster.

These consequences could severely impact system integrity, availability, and confidentiality, making this a high-priority security concern for organizations using Wazuh for security monitoring.

Technical Details

The vulnerability stems from unsafe deserialization in Wazuh API’s DistributedAPI (DAPI) component. Specifically, JSON parameters are deserialized using the as_wazuh_object function located in framework/wazuh/core/cluster/common.py.

An attacker can exploit this by injecting an unsanitized dictionary into DAPI requests or responses, allowing them to execute arbitrary code.

Attack Vector: run_as Endpoint

One notable attack vector involves the run_as endpoint, where attackers can manipulate the auth_context argument to send crafted malicious API requests. Such requests could trigger arbitrary code execution on the master server. Additionally, compromised Wazuh agents in certain configurations can exploit this vulnerability by injecting malicious payloads into API requests.

Affected Versions

  • Vulnerable: Wazuh Manager versions 4.4.0 through 4.9.0

  • Patched: Wazuh Manager 4.9.1 and later

Proof of Concept (PoC)

A publicly available Proof of Concept (PoC) demonstrates how attackers can exploit this flaw by sending crafted JSON payloads to the API. For instance, a malicious request to the run_as endpoint can inject an unsanitized exception (__unhandled_exc__), leading to arbitrary code execution.

Mitigation and Recommendations

To protect against CVE-2025-24016, organizations should take the following actions immediately:

  1. Upgrade to the latest version:

    • Update to Wazuh version 4.9.1 or later, where the vulnerability has been patched.

  2. Restrict API access:

    • Limit API access to trusted networks.

    • Enforce strict authentication and authorization policies.

  3. Monitor logs for suspicious activity:

    • Regularly review logs for unusual API calls or unauthorized access attempts.

  4. Harden agent configurations:

    • Secure Wazuh agents to prevent exploitation through compromised endpoints.

Conclusion

CVE-2025-24016 is a critical security vulnerability that requires immediate attention. Organizations using Wazuh for security monitoring must upgrade their systems, tighten API access controls, and actively monitor for potential attacks. Failure to address this flaw could leave infrastructure vulnerable to remote code execution, unauthorized access, and system compromise.

By implementing the recommended security measures, organizations can significantly reduce the risk of exploitation and safeguard their cybersecurity infrastructure from potential threats.