CVE-2024-35177

HighPublic PoC

Published: 03 February 2025

Published

03 February 2025

Modified

16 September 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0005 15.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments. The wazuh-agent for Windows is vulnerable to a Local Privilege Escalation vulnerability due to improper ACL of the non-default installation directory. A local malicious user could potentially exploit this vulnerability by placing one of the many DLL that are loaded and not present on the system in the installation folder of the agent OR by replacing the service executable binary itself with a malicious one. The root cause is an improper ACL applied on the installation folder when a non-default installation path is specified (e.g,: C:\wazuh). Many DLLs are loaded from the installation folder and by creating a malicious DLLs that exports the functions of a legit one (and that is not found on the system where the agent is installed, such as rsync.dll) it is possible to escalate privileges from a low-privileged user and obtain code execution under the context of NT AUTHORITY\SYSTEM. This issue has been addressed in version 4.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Security Summary

CVE-2024-35177 is a local privilege escalation vulnerability in the Wazuh-agent for Windows, part of the open-source Wazuh platform for threat prevention, detection, and response across various environments. The issue stems from improper access control lists (ACLs) applied to the agent's non-default installation directory, such as C:\wazuh. This flaw, rated at CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-284, allows unauthorized modification of files in the installation folder because many DLLs are loaded from there without sufficient protections.

A low-privileged local user can exploit this vulnerability by placing a malicious DLL in the installation directory—one that exports the functions of a legitimate DLL not present on the system, such as rsync.dll—or by replacing the service executable binary itself. Successful exploitation leads to code execution under the context of NT AUTHORITY\SYSTEM, enabling full compromise of the host with high confidentiality, integrity, and availability impacts.

The Wazuh security advisory (GHSA-pmr2-2r83-h3cv) confirms the issue has been addressed in Wazuh-agent version 4.9.0, urging all users to upgrade immediately. No workarounds are available.

Details

CWE(s): CWE-284

Affected Products

wazuh

3.0.0 — 4.9.0

References

https://github.com/wazuh/wazuh/security/advisories/GHSA-pmr2-2r83-h3cv
Exploit, Vendor Advisory · security-advisories@github.com