Cyber Resilience

CVE-2025-24016

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 10 February 2025

Published
10 February 2025
Modified
24 October 2025
KEV Added
10 June 2025
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
EPSS Score 0.9387 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24016 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Wazuh Wazuh. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are serialized as JSON and deserialized using as_wazuh_object in framework/wazuh/core/cluster/common.py. If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (__unhandled_exc__) to evaluate arbitrary python code. The vulnerability is tracked as CWE-502 and carries a CVSS 3.1 score of 9.9.

The flaw can be triggered by anybody with API access, including through a compromised dashboard or other Wazuh servers in the cluster, or in certain configurations even by a compromised agent. Successful exploitation grants the attacker the ability to execute arbitrary Python code on affected Wazuh servers.

The official advisory at https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh states that version 4.9.1 contains a fix. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The associated EPSS score has reached a peak of 0.9387, indicating substantial exploitation interest following disclosure.

EU & UK References

Vulnerability details

Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a…

more

serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.

CWE(s)
KEV Date Added
10 June 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Unsafe deserialization in Wazuh server enables network-based RCE via arbitrary Python code evaluation in DAPI, directly mapping to exploitation of public-facing applications (T1190) and Python interpreter execution (T1059.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25769Same product: Wazuh Wazuh
CVE-2025-62786Same product: Wazuh Wazuh
CVE-2026-25790Same product: Wazuh Wazuh
CVE-2026-28221Same product: Wazuh Wazuh
CVE-2025-15616Same product: Wazuh Wazuh
CVE-2026-30893Same product: Wazuh Wazuh
CVE-2024-35177Same product: Wazuh Wazuh
CVE-2025-30201Same product: Wazuh Wazuh
CVE-2026-32983Same product: Wazuh Wazuh
CVE-2026-25770Same product: Wazuh Wazuh

Affected Assets

wazuh
wazuh
4.4.0 — 4.9.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, and patching of flaws like the unsafe deserialization vulnerability fixed in Wazuh 4.9.1.

prevent

Requires validation of information inputs such as JSON-serialized DAPI parameters to prevent injection of malicious dictionaries leading to deserialization-based RCE.

prevent

Ensures secure error handling during deserialization to avoid arbitrary code execution triggered by forged unhandled exceptions like __unhandled_exc__.

References