Danielfi

**Name of the Vulnerable Software and Affected Versions** Wazuh versions 4.4.0 through 4.9.1 **Description** Wazuh, a platform used for threat prevention, detection, and response, is affected by an unsafe deserialization vulnerability. This flaw, potentially allowing remote code execution, arises from the insecure deserialization of DistributedAPI parameters using the `as wazuh object` function (located in `framework/wazuh/core/cluster/common.py`). An attacker can exploit this by injecting an unsanitized dictionary into a DAPI request or response, forging an unhandled exception (` unhandled exc `) to execute arbitrary Python code. The vulnerability can be triggered by anyone with API access, or in certain configurations, even a compromised agent. Multiple Mirai botnets are actively exploiting this vulnerability, leading to DDoS attacks. The `/security/user/authenticate/run as` API endpoint is a target for exploitation. The vulnerability is actively exploited in the wild. **Recommendations** Upgrade Wazuh to version 4.9.1 or later. Restrict API access to trusted networks and enforce strict authentication. Regularly monitor logs for suspicious activity. Secure agent configurations to prevent exploitation from compromised endpoints.