CVE-2026-25769

CriticalPublic PoC

Published: 17 March 2026

Published

17 March 2026

Modified

19 March 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0044 63.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Wazuh is a free and open source platform used for threat prevention, detection, and response. Versions 4.0.0 through 4.14.2 have a Remote Code Execution (RCE) vulnerability due to Deserialization of Untrusted Data). All Wazuh deployments using cluster mode (master/worker architecture)…

and any organization with a compromised worker node (e.g., through initial access, insider threat, or supply chain attack) are impacted. An attacker who gains access to a worker node (through any means) can achieve full RCE on the master node with root privileges. Version 4.14.3 fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the RCE vulnerability by requiring timely flaw remediation through patching to Wazuh version 4.14.3 or later.

SI-10 Information Input Validation good match

prevent

Prevents deserialization of untrusted data (CWE-502) by enforcing validation of information inputs received by the master node from worker nodes.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on worker nodes, increasing the difficulty for attackers to obtain the high privileges (PR:H) needed to exploit the vulnerability.

Security SummaryAI

CVE-2026-25769 is a Remote Code Execution (RCE) vulnerability stemming from Deserialization of Untrusted Data (CWE-502) in Wazuh, a free and open-source platform for threat prevention, detection, and response. It affects versions 4.0.0 through 4.14.2, specifically impacting deployments in cluster mode with a master/worker architecture. The vulnerability enables exploitation across nodes in this setup, with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise.

An attacker requires high privileges (PR:H) by first gaining access to a worker node through any means, such as initial access, insider threat, or supply chain attack. Once on a worker node, the attacker can remotely execute arbitrary code on the master node with root privileges, achieving full control over the primary cluster node and potentially the entire Wazuh deployment.

Wazuh has addressed the issue in version 4.14.3, which organizations should apply immediately to mitigate risk. Official advisories, including those on the Wazuh GitHub security page (GHSA-3gm7-962f-fxw5), detail the patch and recommend upgrading affected cluster deployments while scrutinizing worker node security.

Details

CWE(s): CWE-502

Affected Products

wazuh

4.0.0 — 4.14.3

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote code execution on the master node from a high-privilege position on a worker node via deserialization, directly facilitating Exploitation of Remote Services (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://drive.google.com/drive/folders/1WlkKNmHexz8212OVED9O6M_3pI8b6qNI?usp=sharing
Broken Link · security-advisories@github.com
https://github.com/wazuh/wazuh/security/advisories/GHSA-3gm7-962f-fxw5
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/wazuh/wazuh/security/advisories/GHSA-3gm7-962f-fxw5
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0