Back to KEVs

CVE-2025-24016

Remote code execution in Wazuh server

Basic Information

CVE State: PUBLISHED
Reserved Date: January 16, 2025
Published Date: February 10, 2025
Last Updated: February 12, 2025
Vendor: wazuh
Product: wazuh
Description: Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.
Tags

CVSS Scores

CVSS v3.1

9.9 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H

EPSS Score

Score: 76.07% (Percentile: 98.85%) as of 2025-06-03

SSVC Information

Exploitation: poc
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2025-05-06 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2025-04-21 19:13:01 UTC) Source

References

https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2025-05-06 00:00:00 UTC

Recent Mentions

CISA Adds Two Known Exploited Vulnerabilities to Catalog

Source: All CISA Advisories • Published: 2025-06-10 12:00:00 UTC

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.  CVE-2025-24016 Wazuh Server Deserialization of Untrusted Data Vulnerability CVE-2025-33053 Web Distributed Authoring and Versioning (WebDAV) External Control of File Name or Path Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.  Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.  Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

Two Distinct Botnets Exploit Wazuh Server Vulnerability to Launch Mirai-Based Attacks

Source: TheHackerNews • Published: 2025-06-09 14:46:00 UTC

A now-patched critical security flaw in the Wazur Server is being exploited by threat actors to drop two different Mirai botnet variants and use them to conduct distributed denial-of-service (DDoS) attacks. Akamai, which first discovered the exploitation efforts in late March 2025, said the malicious campaign targets CVE-2025-24016 (CVSS score: 9.9), an unsafe deserialization vulnerability that

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-24016.yaml	2025-05-20 05:30:21 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

Timeline

CVE ID Reserved

January 16, 2025
CVE Published to Public

February 10, 2025
Proof of Concept Exploit Available

April 21, 2025
Added to KEVIntel

May 06, 2025
Detected by Nuclei

May 20, 2025