CVE-2025-24016
Published: 10 February 2025
Summary
CVE-2025-24016 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Wazuh Wazuh. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Deeper analysis
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are serialized as JSON and deserialized using as_wazuh_object in framework/wazuh/core/cluster/common.py. If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (__unhandled_exc__) to evaluate arbitrary python code. The vulnerability is tracked as CWE-502 and carries a CVSS 3.1 score of 9.9.
The flaw can be triggered by anybody with API access, including through a compromised dashboard or other Wazuh servers in the cluster, or in certain configurations even by a compromised agent. Successful exploitation grants the attacker the ability to execute arbitrary Python code on affected Wazuh servers.
The official advisory at https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh states that version 4.9.1 contains a fix. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The associated EPSS score has reached a peak of 0.9387, indicating substantial exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3595
Vulnerability details
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a…
more
serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.
- CWE(s)
- KEV Date Added
- 10 June 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization in Wazuh server enables network-based RCE via arbitrary Python code evaluation in DAPI, directly mapping to exploitation of public-facing applications (T1190) and Python interpreter execution (T1059.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely identification, reporting, and patching of flaws like the unsafe deserialization vulnerability fixed in Wazuh 4.9.1.
Requires validation of information inputs such as JSON-serialized DAPI parameters to prevent injection of malicious dictionaries leading to deserialization-based RCE.
Ensures secure error handling during deserialization to avoid arbitrary code execution triggered by forged unhandled exceptions like __unhandled_exc__.