cbcvebase.
CVE-2025-24016
published 2025-02-10

CVE-2025-24016: Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe…

PriorityP196critical9.9CVSS 3.1
AVNACLPRLUINSCCLIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-07-01
Exploited in the wild
EPSS
92.58%
99.8th percentile
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.

Affected

4 ranges
VendorProductVersion rangeFixed in
github.comwazuh_wazuh>= 4.4.0 < 4.9.14.9.1
github.comwazuh_wazuh>= 4.4.0+incompatible < 4.9.1+incompatible4.9.1+incompatible
wazuhwazuh
wazuhwazuh>= 4.4.0 < 4.9.14.9.1

Detection & IOCsextracted from sources · hover to see the quote

url/security/user/authenticate/run_as
other{"__unhandled_exc__":{"__class__": "NotARealClass", "__args__": []}}
pathframework/wazuh/core/cluster/common.py
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wazuh Server Serialized Unhandled Exception Payload (CVE-2025-24016)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; startswith; pcre:"/^(?:security|agents|events|groups)\x2f/Ri"; http.content_type; content:"application/json"; http.request_body; content:"|22|__unhandled_exc__|22 3a|"; fast_pattern; content:"|22|__class__|22 3a|"; content:"|22|__args__|22 3a|"; reference:url,github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh; reference:cve,2025-24016; classtype:web-application-attack; sid:2060945; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_03_18, cve CVE_2025_24016, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|22|__unhandled_exc__|22 3a|
  • Detect POST requests to Wazuh API endpoints (security, agents, events, groups) containing the JSON key '__unhandled_exc__' in the request body, which is the trigger for the unsafe deserialization RCE.
  • Monitor for HTTP 500 responses from the Wazuh API containing 'NameError' in the body, which indicates successful triggering of the deserialization vulnerability.
  • Monitor for suspicious API requests to the /security/user/authenticate/run_as endpoint as a key attack vector for this vulnerability.
  • The vulnerability is exploitable by any authenticated API user, including compromised dashboards, cluster nodes, or in certain configurations even compromised agents — scope monitoring to all API consumers.
  • ·The vulnerability affects Wazuh versions >= 4.4.0 and < 4.9.1. Version 4.9.1 contains the fix; detections are only relevant on unpatched instances.
  • ·CISA KEV lists this with a remediation due date of 2025-07-01; treat as actively exploited in the wild.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
vulncheck9.9CRITICAL
cisa9.9CRITICAL
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.