CVE-2024-35177
Published: 03 February 2025
Summary
CVE-2024-35177 is a high-severity Improper Access Control (CWE-284) vulnerability in Wazuh Wazuh. Its CVSS base score is 7.8 (High).
Operationally, ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations including proper ACLs on the Wazuh agent installation directory to prevent low-privileged users from placing malicious DLLs or replacing the service executable.
Restricts access to make changes to critical components like the agent installation folder, binaries, and DLLs to only authorized personnel, mitigating unauthorized modifications.
Monitors the integrity of software including DLLs and executables in the installation directory to detect unauthorized placements or replacements by low-privileged users.
NVD Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments. The wazuh-agent for Windows is vulnerable to a Local Privilege Escalation vulnerability…
more
due to improper ACL of the non-default installation directory. A local malicious user could potentially exploit this vulnerability by placing one of the many DLL that are loaded and not present on the system in the installation folder of the agent OR by replacing the service executable binary itself with a malicious one. The root cause is an improper ACL applied on the installation folder when a non-default installation path is specified (e.g,: C:\wazuh). Many DLLs are loaded from the installation folder and by creating a malicious DLLs that exports the functions of a legit one (and that is not found on the system where the agent is installed, such as rsync.dll) it is possible to escalate privileges from a low-privileged user and obtain code execution under the context of NT AUTHORITY\SYSTEM. This issue has been addressed in version 4.9.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Deeper analysisAI
CVE-2024-35177 is a local privilege escalation vulnerability in the Wazuh-agent for Windows, part of the open-source Wazuh platform for threat prevention, detection, and response across various environments. The issue stems from improper access control lists (ACLs) applied to the agent's non-default installation directory, such as C:\wazuh. This flaw, rated at CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-284, allows unauthorized modification of files in the installation folder because many DLLs are loaded from there without sufficient protections.
A low-privileged local user can exploit this vulnerability by placing a malicious DLL in the installation directory—one that exports the functions of a legitimate DLL not present on the system, such as rsync.dll—or by replacing the service executable binary itself. Successful exploitation leads to code execution under the context of NT AUTHORITY\SYSTEM, enabling full compromise of the host with high confidentiality, integrity, and availability impacts.
The Wazuh security advisory (GHSA-pmr2-2r83-h3cv) confirms the issue has been addressed in Wazuh-agent version 4.9.0, urging all users to upgrade immediately. No workarounds are available.
Details
- CWE(s)