SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-24016

CVE-2025-24016: Wazuh Platform RCE Vulnerability

CVE-2025-24016 is a remote code execution vulnerability in Wazuh that exploits unsafe deserialization in DistributedAPI parameters. Attackers with API access can execute arbitrary code on Wazuh servers. This article covers technical details, affected versions, exploitation risks, and mitigation strategies.

Updated:

CVE-2025-24016 Overview

Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are serialized as JSON and deserialized using as_wazuh_object (in framework/wazuh/core/cluster/common.py). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (__unhandled_exc__) to evaluate arbitrary Python code. The vulnerability can be triggered by anyone with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.

Critical Impact

An unsafe deserialization allowing remote code execution by exploiting serialized JSON data, affecting Wazuh servers with API access exposure.

Affected Products

  • Wazuh versions 4.4.0 to 4.9.0

Discovery Timeline

  • 2025-02-10T20:15:42.540 - CVE CVE-2025-24016 published to NVD
  • 2025-10-24T13:59:44.790 - Last updated in NVD database

Technical Details for CVE-2025-24016

Vulnerability Analysis

The vulnerability arises from insecure deserialization handling in the Wazuh Distributed API, potentially allowing attackers to execute arbitrary code by passing crafted input that is deserialized improperly.

Root Cause

The root cause is traced to the as_wazuh_object function in the framework/wazuh/core/cluster/common.py module, where deserialization of JSON data isn't properly sanitized, leading to code execution.

Attack Vector

Network attack vector through API interaction, requiring some level of access to API endpoints.

python
# Example exploitation code (sanitized)
malicious_payload = '{ "__unhandled_exc__": "eval_exec_string" }'
response = send_dapi_request(malicious_payload)

Detection Methods for CVE-2025-24016

Indicators of Compromise

  • Unusual network traffic to/from Wazuh API endpoints
  • Presence of unexpected processes executed on the Wazuh server
  • Modifications to Wazuh core files

Detection Strategies

Implement network monitoring for suspicious API calls and payloads, analyzing logs for anomalies, and alerting on unauthorized access attempts.

Monitoring Recommendations

Leverage SentinelOne's behavioral AI to identify the execution of untrusted code and prevent unauthorized access to critical cluster configurations.

How to Mitigate CVE-2025-24016

Immediate Actions Required

  • Update Wazuh to version 4.9.1 immediately
  • Restrict API access to trusted networks
  • Monitor system logs for unusual activities

Patch Information

The vendor has released a patch in version 4.9.1 addressing the deserialization vulnerability. Ensure all Wazuh instances are updated.

Workarounds

Restrict API access to trusted IPs and utilize web application firewalls to inspect and block malicious payloads.

bash
# Configuration example
iptables -A INPUT -p tcp --dport <API_PORT> -s <TRUSTED_IPS> -j ACCEPT
iptables -A INPUT -p tcp --dport <API_PORT> -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne