CVE-2025-24016
published 2025-02-10CVE-2025-24016: Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe…
PriorityP196critical9.9CVSS 3.1
AVNACLPRLUINSCCLIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-07-01
Exploited in the wild
EPSS
92.58%
99.8th percentile
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | wazuh_wazuh | >= 4.4.0 < 4.9.1 | 4.9.1 |
| github.com | wazuh_wazuh | >= 4.4.0+incompatible < 4.9.1+incompatible | 4.9.1+incompatible |
| wazuh | wazuh | — | — |
| wazuh | wazuh | >= 4.4.0 < 4.9.1 | 4.9.1 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wazuh Server Serialized Unhandled Exception Payload (CVE-2025-24016)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; startswith; pcre:"/^(?:security|agents|events|groups)\x2f/Ri"; http.content_type; content:"application/json"; http.request_body; content:"|22|__unhandled_exc__|22 3a|"; fast_pattern; content:"|22|__class__|22 3a|"; content:"|22|__args__|22 3a|"; reference:url,github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh; reference:cve,2025-24016; classtype:web-application-attack; sid:2060945; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_03_18, cve CVE_2025_24016, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|22|__unhandled_exc__|22 3a|
- →Detect POST requests to Wazuh API endpoints (security, agents, events, groups) containing the JSON key '__unhandled_exc__' in the request body, which is the trigger for the unsafe deserialization RCE.
- →Monitor for HTTP 500 responses from the Wazuh API containing 'NameError' in the body, which indicates successful triggering of the deserialization vulnerability.
- →Monitor for suspicious API requests to the /security/user/authenticate/run_as endpoint as a key attack vector for this vulnerability.
- →The vulnerability is exploitable by any authenticated API user, including compromised dashboards, cluster nodes, or in certain configurations even compromised agents — scope monitoring to all API consumers.
- ·The vulnerability affects Wazuh versions >= 4.4.0 and < 4.9.1. Version 4.9.1 contains the fix; detections are only relevant on unpatched instances. ↗
- ·CISA KEV lists this with a remediation due date of 2025-07-01; treat as actively exploited in the wild. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
vulncheck9.9CRITICAL
cisa9.9CRITICAL
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Wazuh server vulnerable to remote code execution
osv·2025-04-22
CVE-2025-24016 [CRITICAL] Wazuh server vulnerable to remote code execution
Wazuh server vulnerable to remote code execution
### Summary
An unsafe deserialization vulnerability allows for remote code execution on Wazuh servers.
The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent.
### Details
DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code.
Using the server API, it quite easy to trigger. For example, using the `run_as` endpoint (implemented by `run_as_login` in `api/api/cont
GHSA
Wazuh server vulnerable to remote code execution
ghsa·2025-04-22
CVE-2025-24016 [CRITICAL] CWE-502 Wazuh server vulnerable to remote code execution
Wazuh server vulnerable to remote code execution
### Summary
An unsafe deserialization vulnerability allows for remote code execution on Wazuh servers.
The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent.
### Details
DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code.
Using the server API, it quite easy to trigger. For example, using the `run_as` endpoint (implemented by `run_as_login` in `api/api/cont
OSV
Remote code execution in Wazuh server in github.com/wazuh/wazuh
osv·2025-03-03
CVE-2025-24016 Remote code execution in Wazuh server in github.com/wazuh/wazuh
Remote code execution in Wazuh server in github.com/wazuh/wazuh
Remote code execution in Wazuh server in github.com/wazuh/wazuh
VulnCheck
Wazuh Server Deserialization of Untrusted Data Vulnerability
vulncheck·2025·CVSS 9.9
CVE-2025-24016 [CRITICAL] CWE-502 Wazuh Server Deserialization of Untrusted Data Vulnerability
Wazuh Server Deserialization of Untrusted Data Vulnerability
Wazuh contains a deserialization of untrusted data vulnerability that allows for remote code execution on Wazuh servers.
Affected: Wazuh Wazuh Server
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-05-03&host_type=src&vulnerability=cve-2025-24016; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-05-04&host_type=src&vulnerability=cve-2025-24016; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-05-05&host_type=src&vulnerab
CISA
Wazuh Server Deserialization of Untrusted Data Vulnerability
cisa·2025-06-10·CVSS 9.9
CVE-2025-24016 [CRITICAL] CWE-502 Wazuh Server Deserialization of Untrusted Data Vulnerability
Vulnerability: Wazuh Server Deserialization of Untrusted Data Vulnerability
Affected: Wazuh Wazuh Server
Wazuh contains a deserialization of untrusted data vulnerability that allows for remote code execution on Wazuh servers.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://wazuh.com/blog/addressing-the-cve-2025-24016-vulnerability/ ; https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh ; https://nvd.nist.gov/vuln/detail/CVE-2025-24016
Remediation Due Date: 2025-07-01
Suricata
ET WEB_SPECIFIC_APPS Wazuh Server Serialized Unhandled Exception Payload (CVE-2025-24016)
suricata·2025-03-18·CVSS 9.9
CVE-2025-24016 [CRITICAL] ET WEB_SPECIFIC_APPS Wazuh Server Serialized Unhandled Exception Payload (CVE-2025-24016)
ET WEB_SPECIFIC_APPS Wazuh Server Serialized Unhandled Exception Payload (CVE-2025-24016)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wazuh Server Serialized Unhandled Exception Payload (CVE-2025-24016)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; startswith; pcre:"/^(?:security|agents|events|groups)\x2f/Ri"; http.content_type; content:"application/json"; http.request_body; content:"|22|__unhandled_exc__|22 3a|"; fast_pattern; content:"|22|__class__|22 3a|"; content:"|22|__args__|22 3a|"; reference:url,github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh; reference:cve,2025-24016; classtype:web-application-attack; sid:2060945; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_03_18,
Metasploit
Wazuh server remote code execution caused by an unsafe deserialization vulnerability.
metasploit
Wazuh server remote code execution caused by an unsafe deserialization vulnerability.
Wazuh server remote code execution caused by an unsafe deserialization vulnerability.
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by
Nuclei
Wazuh - Unsafe Deserialization Remote Code Execution
nuclei·CVSS 9.9
CVE-2025-24016 [CRITICAL] Wazuh - Unsafe Deserialization Remote Code Execution
Wazuh - Unsafe Deserialization Remote Code Execution
A critical Remote Code Execution (RCE) vulnerability exists in Wazuh server versions >= 4.4.0 and = 4.4.0 and = 4.9.1 where this vulnerability has been patched. If immediate upgrade is not possible: Restrict API access to trusted IP addresses only, implement network segmentation to isolate Wazuh servers, monitor for suspicious API requests to the /security/user/authenticate/run_as endpoint, and consider implementing a Web Application Firewall (WAF) to filter malicious requests.
reference:
- https://github.com/MuhammadWaseem29/CVE-2025-24016
- https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh
- https://nvd.nist.gov/vuln/detail/CVE-2025-24016
classification:
epss-score: 0.93874
epss-percentile: 0.9987
cvss-metrics: CV
2025-02-10
Published
2025-06-10
Added to CISA KEV
Exploited in the wild