Skip to main content
CVE Vulnerability Database

CVE-2024-1243: Wazuh Agent for Windows RCE Vulnerability

CVE-2024-1243 is a remote code execution vulnerability in Wazuh Agent for Windows that allows attackers to leak NetNTLMv2 hashes and escalate to SYSTEM privileges. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-1243 Overview

CVE-2024-1243 is an improper input validation vulnerability [CWE-20] in the Wazuh agent for Windows prior to version 4.8.0. An attacker with control over the Wazuh server or the agent key can configure the agent to connect to a malicious Universal Naming Convention (UNC) path. The forced UNC connection leaks the machine account NetNTLMv2 hash from the affected Windows host. Attackers can relay that hash for remote code execution or escalate privileges to SYSTEM through Active Directory Certificate Services (AD CS) certificate forging and similar coercion techniques.

Critical Impact

A compromised Wazuh server or stolen agent key enables NetNTLMv2 hash theft from every connected Windows endpoint, leading to SYSTEM-level compromise across the domain.

Affected Products

  • Wazuh agent for Windows, all versions prior to 4.8.0
  • Deployments where the Wazuh server or agent key material is exposed to untrusted parties
  • Windows endpoints joined to Active Directory running a vulnerable Wazuh agent

Discovery Timeline

  • 2025-06-11 - CVE-2024-1243 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-1243

Vulnerability Analysis

The Wazuh agent for Windows accepts configuration parameters that can resolve to file paths. The agent does not validate these inputs to ensure they reference safe local resources. An attacker who controls the Wazuh server, or who possesses a valid agent key, can push a configuration that directs the agent to a remote UNC path such as \\attacker-host\share\file.

When the Windows agent attempts to access the attacker-controlled UNC path, the operating system performs an automatic NTLM authentication handshake using the machine account. The attacker captures the resulting NetNTLMv2 challenge response. From there, attackers can relay the hash to LDAP, SMB, or AD CS endpoints to obtain code execution or forge certificates that authenticate as the victim machine account, ultimately yielding SYSTEM privileges.

Root Cause

The root cause is missing validation on agent-side configuration values that are interpreted as filesystem paths. The agent does not restrict paths to local volumes or reject UNC syntax, allowing remote SMB connections to be initiated by the privileged agent process.

Attack Vector

Exploitation requires that the attacker control either the Wazuh server distributing configuration to agents or a valid agent key. Once that prerequisite is met, the attack proceeds over the network. The attacker stands up an SMB listener (for example, Responder or ntlmrelayx), pushes a malicious path through Wazuh configuration, and waits for the agent to authenticate. The captured machine account hash is then relayed against vulnerable services such as AD CS web enrollment to issue a certificate that impersonates the host. Technical write-up details are available in the Pentraze CVE-2024-1243 Report and the Wazuh GitHub Security Advisory.

Detection Methods for CVE-2024-1243

Indicators of Compromise

  • Outbound SMB (TCP/445) connections from Windows hosts running the Wazuh agent (ossec-agent.exe) to unexpected or external IP addresses
  • Wazuh agent configuration entries referencing UNC paths (\\host\share) where local paths are expected
  • Event ID 4624 or 4625 logon events for machine accounts originating from untrusted hosts
  • AD CS certificate issuance events for machine accounts that do not align with normal enrollment patterns

Detection Strategies

  • Audit ossec.conf and centrally managed Wazuh configurations for UNC paths and unexpected remote references
  • Monitor process behavior of the Wazuh agent service for SMB or WebDAV traffic to non-internal destinations
  • Alert on NTLM authentication attempts from machine accounts to hosts outside the trusted server inventory

Monitoring Recommendations

  • Enable NTLM auditing on domain controllers and correlate authentications sourced from Wazuh-managed endpoints
  • Forward Wazuh server access logs and agent key management events to a SIEM for review of unauthorized configuration changes
  • Track AD CS enrollment logs for anomalous certificate requests tied to machine accounts

How to Mitigate CVE-2024-1243

Immediate Actions Required

  • Upgrade all Wazuh agents for Windows to version 4.8.0 or later
  • Rotate any agent keys that may have been exposed and review Wazuh server access controls
  • Restrict outbound SMB (TCP/445) traffic from endpoints to internal file servers only
  • Enable Extended Protection for Authentication and SMB signing on domain controllers and AD CS endpoints to blunt NTLM relay

Patch Information

Wazuh addressed CVE-2024-1243 in version 4.8.0. Refer to the Wazuh GitHub Security Advisory GHSA-3crh-39qv-fxj7 for upgrade guidance and affected component details.

Workarounds

  • Harden the Wazuh server with strict administrative access controls and multi-factor authentication to prevent unauthorized configuration pushes
  • Apply egress firewall rules that block SMB and WebDAV traffic from Wazuh-managed Windows hosts to untrusted networks
  • Enforce the Network security: Restrict NTLM group policy settings to limit outgoing NTLM traffic to approved servers
  • Enable AD CS hardening per Microsoft guidance, including requiring channel binding and disabling vulnerable enrollment endpoints
bash
# Example egress restriction (Windows Defender Firewall)
New-NetFirewallRule -DisplayName "Block Outbound SMB to Untrusted" `
  -Direction Outbound -Protocol TCP -RemotePort 445 `
  -RemoteAddress "Internet" -Action Block

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.