Back to KEVs

CVE-2025-24016

Remote code execution in Wazuh server

Basic Information

CVE State: PUBLISHED
Reserved Date: January 16, 2025
Published Date: February 10, 2025
Last Updated: February 26, 2026
Vendor: wazuh
Product: wazuh
Description: Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.
Tags

CVSS Scores

CVSS v3.1

9.9 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H

EPSS Score

Score: 93.51% (Percentile: 99.83%) as of 2026-05-31

SSVC Information

Exploitation: active
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2026-06-01 13:30:39 UTC) Source
Proof of Concept Available: Yes (added 2025-02-20 23:31:03 UTC) Source

References

https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh

Known Exploited Vulnerability Information

Source	Added Date
CVE	2026-06-01 10:32:30 UTC

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-24016.yaml	2025-06-02 14:11:04 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

cybersecplayground/CVE-2025-24016-Wazuh-Remote-Code-Execution-RCE-PoC

Type: github • Created: 2025-04-21 19:13:01 UTC • Stars: 0

A critical RCE vulnerability has been identified in the Wazuh server due to unsafe deserialization in the wazuh-manager package. This bug affects Wazuh versions ≥ 4.4.0 and has been patched in version 4.9.1.

celsius026/poc_CVE-2025-24016

Type: github • Created: 2025-04-15 14:24:45 UTC • Stars: 0

GloStarRx1/CVE-2025-24016

Type: github • Created: 2025-02-21 16:21:46 UTC • Stars: 1

CVE-2025-24016: RCE in Wazuh server! Remote Code Execution

MuhammadWaseem29/CVE-2025-24016

Type: github • Created: 2025-02-20 23:31:03 UTC • Stars: 32

CVE-2025-24016: RCE in Wazuh server! Remote Code Execution

0xjessie21/CVE-2025-24016

Type: github • Created: 2025-02-16 11:01:12 UTC • Stars: 36

CVE-2025-24016: Wazuh Unsafe Deserialization Remote Code Execution (RCE)

huseyinstif/CVE-2025-24016-Nuclei-Template

Type: github • Created: 2025-02-13 06:38:43 UTC • Stars: 1

Timeline

CVE ID Reserved

January 16, 2025
CVE Published to Public

February 10, 2025
Proof of Concept Exploit Available

February 20, 2025
Detected by Nuclei

June 02, 2025
Added to KEVIntel

June 01, 2026