Cyber Resilience

CVE-2026-25769

CriticalPublic PoCRCE

Published: 17 March 2026

Published
17 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0925 94.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25769 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Wazuh Wazuh. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 5.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25769 is a Remote Code Execution (RCE) vulnerability stemming from Deserialization of Untrusted Data (CWE-502) in Wazuh, a free and open-source platform for threat prevention, detection, and response. It affects versions 4.0.0 through 4.14.2, specifically impacting deployments in cluster mode with a master/worker architecture. The vulnerability enables exploitation across nodes in this setup, with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise.

An attacker requires high privileges (PR:H) by first gaining access to a worker node through any means, such as initial access, insider threat, or supply chain attack. Once on a worker node, the attacker can remotely execute arbitrary code on the master node with root privileges, achieving full control over the primary cluster node and potentially the entire Wazuh deployment.

Wazuh has addressed the issue in version 4.14.3, which organizations should apply immediately to mitigate risk. Official advisories, including those on the Wazuh GitHub security page (GHSA-3gm7-962f-fxw5), detail the patch and recommend upgrading affected cluster deployments while scrutinizing worker node security.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Wazuh is a free and open source platform used for threat prevention, detection, and response. Versions 4.0.0 through 4.14.2 have a Remote Code Execution (RCE) vulnerability due to Deserialization of Untrusted Data). All Wazuh deployments using cluster mode (master/worker architecture)…

more

and any organization with a compromised worker node (e.g., through initial access, insider threat, or supply chain attack) are impacted. An attacker who gains access to a worker node (through any means) can achieve full RCE on the master node with root privileges. Version 4.14.3 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The vulnerability enables remote code execution on the master node from a high-privilege position on a worker node via deserialization, directly facilitating Exploitation of Remote Services (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-24016Same product: Wazuh Wazuh
CVE-2026-25772Same product: Wazuh Wazuh
CVE-2026-30893Same product: Wazuh Wazuh
CVE-2024-47770Same product: Wazuh Wazuh
CVE-2024-35177Same product: Wazuh Wazuh
CVE-2026-25790Same product: Wazuh Wazuh
CVE-2025-62786Same product: Wazuh Wazuh
CVE-2025-15612Same product: Wazuh Wazuh
CVE-2025-15617Same product: Wazuh Wazuh
CVE-2025-15615Same product: Wazuh Wazuh

Affected Assets

wazuh
wazuh
4.0.0 — 4.14.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the RCE vulnerability by requiring timely flaw remediation through patching to Wazuh version 4.14.3 or later.

prevent

Prevents deserialization of untrusted data (CWE-502) by enforcing validation of information inputs received by the master node from worker nodes.

prevent

Enforces least privilege on worker nodes, increasing the difficulty for attackers to obtain the high privileges (PR:H) needed to exploit the vulnerability.

References