CVE-2025-24016
Published: 10 February 2025
Summary
CVE-2025-24016 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Wazuh Wazuh. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and patching of flaws like the unsafe deserialization vulnerability fixed in Wazuh 4.9.1.
Requires validation of information inputs such as JSON-serialized DAPI parameters to prevent injection of malicious dictionaries leading to deserialization-based RCE.
Ensures secure error handling during deserialization to avoid arbitrary code execution triggered by forged unhandled exceptions like __unhandled_exc__.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization in Wazuh server enables network-based RCE via arbitrary Python code evaluation in DAPI, directly mapping to exploitation of public-facing applications (T1190) and Python interpreter execution (T1059.006).
NVD Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a…
more
serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.
Deeper analysisAI
CVE-2025-24016 is an unsafe deserialization vulnerability (CWE-502) in Wazuh, a free and open-source platform for threat prevention, detection, and response. It affects Wazuh servers from version 4.4.0 up to but not including 4.9.1. The issue arises in the DistributedAPI (DAPI) where parameters are serialized as JSON and deserialized using the `as_wazuh_object` function in `framework/wazuh/core/cluster/common.py`. This allows an attacker to inject an unsanitized dictionary into a DAPI request or response, forging an unhandled exception (`__unhandled_exc__`) that evaluates arbitrary Python code, resulting in remote code execution (RCE). The vulnerability has a CVSS v3.1 score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H).
An attacker requires low privileges (PR:L), such as API access obtainable via a compromised dashboard, another Wazuh server in the cluster, or—in certain configurations—a compromised agent. Exploitation occurs over the network with low complexity and no user interaction, enabling scope change to high integrity and availability impacts alongside limited confidentiality loss. Successful exploitation grants RCE on the targeted Wazuh server.
The Wazuh GitHub security advisory (GHSA-hcrc-79hj-m3qh) confirms the fix in version 4.9.1, recommending immediate upgrades for affected installations. No additional workarounds are specified.
This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active real-world exploitation.
Details
- CWE(s)
- KEV Date Added
- 10 June 2025