Wazuh, Remote Code Execution via Unsafe Deserialization, CVE-2025-24016 (Critical)

Listen to this Post

🐢▶️ Listen🚀

How CVE-2025-24016 Works

The vulnerability exists in Wazuh’s DistributedAPI due to unsafe deserialization of JSON data in framework/wazuh/core/cluster/common.py. When processing DAPI requests/responses, the `as_wazuh_object` function deserializes untrusted input without proper validation. An attacker can craft a malicious payload containing a dictionary with a `__unhandled_exc__` key, which triggers arbitrary Python code execution during exception handling. This flaw allows authenticated attackers (with API access) or compromised agents to execute commands on the Wazuh server. The issue stems from improper input sanitization before deserialization, enabling object injection attacks.

DailyCVE Form

Platform: Wazuh
Version: 4.4.0 to 4.9.0
Vulnerability: RCE via deserialization
Severity: Critical
Date: 06/11/2025

Prediction: Patch expected by 07/15/2025

What Undercode Say:

Exploitation:

1. Craft a malicious DAPI request with serialized Python code:

   payload = {
   "<strong>unhandled_exc</strong>": "os.system('id')"
   }
   

2. Send via compromised agent or API:

curl -X POST http://wazuh-server:55000/dapi/ -H "Content-Type: application/json" -d '{"data": "'$(echo -n $payload | base64)'"}'

Mitigation:

1. Immediate Workaround:

Block unauthorized DAPI requests via firewall:
iptables -A INPUT -p tcp --dport 55000 -j DROP

2. Permanent Fix:

Upgrade to Wazuh 4.9.1+:
wazuh-manager upgrade --version 4.9.1

Detection:

Log analysis for suspicious DAPI activity:
grep -r "DistributedAPI.<strong>unhandled_exc</strong>" /var/ossec/logs/

Analytics:

• Attack Vector: Network (API/Agent)
• Complexity: Low (pre-auth in some configs)
• CVSS 4.0: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
• Exploit Availability: Public PoCs expected within 30 days.

Code Fix (Patch Preview):

framework/wazuh/core/cluster/common.py (patched):
def as_wazuh_object(d):
if "<strong>unhandled_exc</strong>" in d:
raise ValueError("Illegal payload")

References:

• Wazuh 4.9.1 Changelog
• CISA KEV Catalog (BOD 22-01)

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram