CVE-2025-24016
Published: 10 February 2025
Description
Adversaries may abuse Python commands and scripts for execution.
Security Summary
CVE-2025-24016 is an unsafe deserialization vulnerability (CWE-502) in Wazuh, a free and open-source platform for threat prevention, detection, and response. It affects Wazuh servers from version 4.4.0 up to but not including 4.9.1. The issue arises in the DistributedAPI (DAPI) where parameters are serialized as JSON and deserialized using the `as_wazuh_object` function in `framework/wazuh/core/cluster/common.py`. This allows an attacker to inject an unsanitized dictionary into a DAPI request or response, forging an unhandled exception (`__unhandled_exc__`) that evaluates arbitrary Python code, resulting in remote code execution (RCE). The vulnerability has a CVSS v3.1 score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H).
An attacker requires low privileges (PR:L), such as API access obtainable via a compromised dashboard, another Wazuh server in the cluster, or—in certain configurations—a compromised agent. Exploitation occurs over the network with low complexity and no user interaction, enabling scope change to high integrity and availability impacts alongside limited confidentiality loss. Successful exploitation grants RCE on the targeted Wazuh server.
The Wazuh GitHub security advisory (GHSA-hcrc-79hj-m3qh) confirms the fix in version 4.9.1, recommending immediate upgrades for affected installations. No additional workarounds are specified.
This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active real-world exploitation.
Details
- CWE(s)
- KEV Date Added
- 10 June 2025
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unsafe deserialization in Wazuh server enables network-based RCE via arbitrary Python code evaluation in DAPI, directly mapping to exploitation of public-facing applications (T1190) and Python interpreter execution (T1059.006).