CVE-2025-24016

Name of the Vulnerable Software and Affected Versions Wazuh versions 4.4.0 through 4.9.1

Description Wazuh, a platform used for threat prevention, detection, and response, is affected by an unsafe deserialization vulnerability. This flaw, potentially allowing remote code execution, arises from the insecure deserialization of DistributedAPI parameters using the as wazuh object function (located in framework/wazuh/core/cluster/common.py). An attacker can exploit this by injecting an unsanitized dictionary into a DAPI request or response, forging an unhandled exception (unhandled exc) to execute arbitrary Python code. The vulnerability can be triggered by anyone with API access, or in certain configurations, even a compromised agent. Multiple Mirai botnets are actively exploiting this vulnerability, leading to DDoS attacks. The /security/user/authenticate/run as API endpoint is a target for exploitation. The vulnerability is actively exploited in the wild.

Recommendations Upgrade Wazuh to version 4.9.1 or later. Restrict API access to trusted networks and enforce strict authentication. Regularly monitor logs for suspicious activity. Secure agent configurations to prevent exploitation from compromised endpoints.