CVE-2026-25769
Published: 17 March 2026
Summary
CVE-2026-25769 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Wazuh Wazuh. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 36.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the RCE vulnerability by requiring timely flaw remediation through patching to Wazuh version 4.14.3 or later.
Prevents deserialization of untrusted data (CWE-502) by enforcing validation of information inputs received by the master node from worker nodes.
Enforces least privilege on worker nodes, increasing the difficulty for attackers to obtain the high privileges (PR:H) needed to exploit the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code execution on the master node from a high-privilege position on a worker node via deserialization, directly facilitating Exploitation of Remote Services (T1210).
NVD Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. Versions 4.0.0 through 4.14.2 have a Remote Code Execution (RCE) vulnerability due to Deserialization of Untrusted Data). All Wazuh deployments using cluster mode (master/worker architecture)…
more
and any organization with a compromised worker node (e.g., through initial access, insider threat, or supply chain attack) are impacted. An attacker who gains access to a worker node (through any means) can achieve full RCE on the master node with root privileges. Version 4.14.3 fixes the issue.
Deeper analysisAI
CVE-2026-25769 is a Remote Code Execution (RCE) vulnerability stemming from Deserialization of Untrusted Data (CWE-502) in Wazuh, a free and open-source platform for threat prevention, detection, and response. It affects versions 4.0.0 through 4.14.2, specifically impacting deployments in cluster mode with a master/worker architecture. The vulnerability enables exploitation across nodes in this setup, with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise.
An attacker requires high privileges (PR:H) by first gaining access to a worker node through any means, such as initial access, insider threat, or supply chain attack. Once on a worker node, the attacker can remotely execute arbitrary code on the master node with root privileges, achieving full control over the primary cluster node and potentially the entire Wazuh deployment.
Wazuh has addressed the issue in version 4.14.3, which organizations should apply immediately to mitigate risk. Official advisories, including those on the Wazuh GitHub security page (GHSA-3gm7-962f-fxw5), detail the patch and recommend upgrading affected cluster deployments while scrutinizing worker node security.
Details
- CWE(s)