CVE-2025-34294

Name of the Vulnerable Software and Affected Versions Wazuh (affected versions not specified)

Description A time-of-check/time-of-use (TOCTOU) race condition exists in the File Integrity Monitoring (FIM) component when automatic threat removal is enabled. This can allow a local, low-privileged attacker to cause the Wazuh service, running with SYSTEM privileges, to delete attacker-controlled files or paths. The issue stems from insufficient synchronization and a lack of final-path validation during the threat-removal process. Specifically, the agent records a threat removal action and proceeds with deletion without verifying the deletion target remains the originally intended file. This can lead to arbitrary file or folder deletion at the SYSTEM level, potentially resulting in local privilege escalation. An attempted fix was made via pull request 8697 on 2025-07-10, but it was incomplete.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.