Description
A critical remote code execution (RCE) vulnerability (CVE-2025-24016) with a CVSS score of 9.9 has been discovered in Wazuh, posing a significant threat to security monitoring systems. The vulnerability is caused by an unsafe deserialization weakness in Wazuh’s API, which attackers might use to execute arbitrary code and take control of affected systems.
Impact
- Unauthorized Remote Code Execution: On impacted servers, attackers can use the vulnerability to run arbitrary code. This implies that they can install malware, conduct malicious instructions, and alter system processes without permission.
- Full System Compromise: Wazuh’s API, dashboard, or misconfigured agents can be used to exploit the vulnerability, giving attackers complete control over the system. Once inside, they can travel laterally throughout the network, elevate access, and interfere with vital security monitoring tasks.
- Loss of Sensitive Security Data & Operational Disruption: A successful attack could lead to the exposure or theft of sensitive security logs and monitoring data. This can compromise compliance, weaken security defenses, and cause downtime or operational failures, putting an organization’s entire security posture at risk.
Recommendations
Immediate Action Required: To reduce this risk, immediately update to Wazuh version 4.9.1 if you’re using version 4.4.0 or later. In the most recent release, Wazuh addressed the problem and offered official advice for additional directions.
Additional Security Measures:
- Restricting API access permissions to limit exposure
- Hardening agent configurations to prevent unauthorized access
- Enforce strong authentication methods to secure system interactions
References
Remote code execution in Wazuh server
For further assistance, contact us at info@accorian.com or schedule an appointment via our Calendly link.
Threat Advisory
Team Accorian
Recipients can either scan the code on a phone or tablet to access the form