CVE-2024-1243 Overview
CVE-2024-1243 is an improper input validation vulnerability [CWE-20] in the Wazuh agent for Windows prior to version 4.8.0. An attacker with control over the Wazuh server or the agent key can configure the agent to connect to a malicious Universal Naming Convention (UNC) path. The forced UNC connection leaks the machine account NetNTLMv2 hash from the affected Windows host. Attackers can relay that hash for remote code execution or escalate privileges to SYSTEM through Active Directory Certificate Services (AD CS) certificate forging and similar coercion techniques.
Critical Impact
A compromised Wazuh server or stolen agent key enables NetNTLMv2 hash theft from every connected Windows endpoint, leading to SYSTEM-level compromise across the domain.
Affected Products
- Wazuh agent for Windows, all versions prior to 4.8.0
- Deployments where the Wazuh server or agent key material is exposed to untrusted parties
- Windows endpoints joined to Active Directory running a vulnerable Wazuh agent
Discovery Timeline
- 2025-06-11 - CVE-2024-1243 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-1243
Vulnerability Analysis
The Wazuh agent for Windows accepts configuration parameters that can resolve to file paths. The agent does not validate these inputs to ensure they reference safe local resources. An attacker who controls the Wazuh server, or who possesses a valid agent key, can push a configuration that directs the agent to a remote UNC path such as \\attacker-host\share\file.
When the Windows agent attempts to access the attacker-controlled UNC path, the operating system performs an automatic NTLM authentication handshake using the machine account. The attacker captures the resulting NetNTLMv2 challenge response. From there, attackers can relay the hash to LDAP, SMB, or AD CS endpoints to obtain code execution or forge certificates that authenticate as the victim machine account, ultimately yielding SYSTEM privileges.
Root Cause
The root cause is missing validation on agent-side configuration values that are interpreted as filesystem paths. The agent does not restrict paths to local volumes or reject UNC syntax, allowing remote SMB connections to be initiated by the privileged agent process.
Attack Vector
Exploitation requires that the attacker control either the Wazuh server distributing configuration to agents or a valid agent key. Once that prerequisite is met, the attack proceeds over the network. The attacker stands up an SMB listener (for example, Responder or ntlmrelayx), pushes a malicious path through Wazuh configuration, and waits for the agent to authenticate. The captured machine account hash is then relayed against vulnerable services such as AD CS web enrollment to issue a certificate that impersonates the host. Technical write-up details are available in the Pentraze CVE-2024-1243 Report and the Wazuh GitHub Security Advisory.
Detection Methods for CVE-2024-1243
Indicators of Compromise
- Outbound SMB (TCP/445) connections from Windows hosts running the Wazuh agent (ossec-agent.exe) to unexpected or external IP addresses
- Wazuh agent configuration entries referencing UNC paths (\\host\share) where local paths are expected
- Event ID 4624 or 4625 logon events for machine accounts originating from untrusted hosts
- AD CS certificate issuance events for machine accounts that do not align with normal enrollment patterns
Detection Strategies
- Audit ossec.conf and centrally managed Wazuh configurations for UNC paths and unexpected remote references
- Monitor process behavior of the Wazuh agent service for SMB or WebDAV traffic to non-internal destinations
- Alert on NTLM authentication attempts from machine accounts to hosts outside the trusted server inventory
Monitoring Recommendations
- Enable NTLM auditing on domain controllers and correlate authentications sourced from Wazuh-managed endpoints
- Forward Wazuh server access logs and agent key management events to a SIEM for review of unauthorized configuration changes
- Track AD CS enrollment logs for anomalous certificate requests tied to machine accounts
How to Mitigate CVE-2024-1243
Immediate Actions Required
- Upgrade all Wazuh agents for Windows to version 4.8.0 or later
- Rotate any agent keys that may have been exposed and review Wazuh server access controls
- Restrict outbound SMB (TCP/445) traffic from endpoints to internal file servers only
- Enable Extended Protection for Authentication and SMB signing on domain controllers and AD CS endpoints to blunt NTLM relay
Patch Information
Wazuh addressed CVE-2024-1243 in version 4.8.0. Refer to the Wazuh GitHub Security Advisory GHSA-3crh-39qv-fxj7 for upgrade guidance and affected component details.
Workarounds
- Harden the Wazuh server with strict administrative access controls and multi-factor authentication to prevent unauthorized configuration pushes
- Apply egress firewall rules that block SMB and WebDAV traffic from Wazuh-managed Windows hosts to untrusted networks
- Enforce the Network security: Restrict NTLM group policy settings to limit outgoing NTLM traffic to approved servers
- Enable AD CS hardening per Microsoft guidance, including requiring channel binding and disabling vulnerable enrollment endpoints
# Example egress restriction (Windows Defender Firewall)
New-NetFirewallRule -DisplayName "Block Outbound SMB to Untrusted" `
-Direction Outbound -Protocol TCP -RemotePort 445 `
-RemoteAddress "Internet" -Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

