CVE-2026-25770

CriticalPublic PoC

Published: 17 March 2026

Published

17 March 2026

Modified

19 March 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0007 21.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25770 is a critical-severity Path Traversal (CWE-22) vulnerability in Wazuh Wazuh. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match

prevent

AC-6 enforces least privilege, directly mitigating the vulnerability by ensuring the 'wazuh' user lacks write access to critical files like ossec.conf and restricting wazuh-clusterd to non-arbitrary file writes.

CM-6 Configuration Settings good match

prevent

CM-6 establishes and enforces secure configuration settings, such as restrictive file permissions on ossec.conf, preventing unauthorized overwrites by the 'wazuh' user.

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved access control policies at the file system level, blocking authenticated cluster nodes from performing arbitrary writes via the wazuh-clusterd service.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE describes authenticated arbitrary file write in cluster protocol combined with weak config permissions, enabling direct exploitation for privilege escalation (T1068) to root via malicious command injection in ossec.conf that is executed by the root wazuh-logcollector process (T1059.004 Unix Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 3.9.0 and prior to version 4.14.3, a privilege escalation vulnerability exists in the Wazuh Manager's cluster synchronization protocol. The `wazuh-clusterd` service allows…

authenticated nodes to write arbitrary files to the manager’s file system with the permissions of the `wazuh` system user. Due to insecure default permissions, the `wazuh` user has write access to the manager's main configuration file (`/var/ossec/etc/ossec.conf`). By leveraging the cluster protocol to overwrite `ossec.conf`, an attacker can inject a malicious `<localfile>` command block. The `wazuh-logcollector` service, which runs as root, parses this configuration and executes the injected command. This chain allows an attacker with cluster credentials to gain full Root Remote Code Execution, violating the principle of least privilege and bypassing the intended security model. Version 4.14.3 fixes the issue.

Deeper analysisAI

CVE-2026-25770 is a privilege escalation vulnerability in the Wazuh Manager's cluster synchronization protocol, affecting the open-source Wazuh platform for threat prevention, detection, and response. The issue resides in the `wazuh-clusterd` service, which permits authenticated cluster nodes to write arbitrary files to the manager's file system under the permissions of the `wazuh` system user. Due to insecure default permissions granting the `wazuh` user write access to the main configuration file at `/var/ossec/etc/ossec.conf`, this enables overwriting the file to inject a malicious `<localfile>` command block. The vulnerability impacts Wazuh versions starting from 3.9.0 up to but not including 4.14.3, with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and associated CWEs including CWE-22, CWE-269, and CWE-732.

An attacker with valid cluster node credentials can exploit this by leveraging the cluster protocol to overwrite `ossec.conf` with a crafted configuration. The `wazuh-logcollector` service, running as root, subsequently parses the tampered file and executes the injected command, resulting in full remote code execution (RCE) with root privileges on the manager. This chain violates the principle of least privilege, allowing high-privilege cluster participants to bypass security controls and achieve complete system compromise.

Wazuh version 4.14.3 addresses the vulnerability by fixing the insecure file write mechanism in the cluster synchronization protocol. Additional details and patch information are available in the official security advisory at https://github.com/wazuh/wazuh/security/advisories/GHSA-r4f7-v3p6-79jm. Security practitioners should upgrade affected managers to 4.14.3 or later and review cluster node authentication configurations.

Details

CWE(s): CWE-22 CWE-269 CWE-732

Affected Products

wazuh

3.9.0 — 4.14.3

CVEs Like This One

CVE-2024-47770Same product: Wazuh Wazuh

CVE-2025-15616Same product: Wazuh Wazuh

CVE-2026-30893Same product: Wazuh Wazuh

CVE-2026-25772Same product: Wazuh Wazuh

CVE-2025-15615Same product: Wazuh Wazuh

CVE-2026-25769Same product: Wazuh Wazuh

CVE-2026-25790Same product: Wazuh Wazuh

CVE-2025-24016Same product: Wazuh Wazuh

CVE-2025-15612Same product: Wazuh Wazuh

CVE-2024-35177Same product: Wazuh Wazuh

References

https://github.com/wazuh/wazuh/security/advisories/GHSA-r4f7-v3p6-79jm
Exploit, Vendor Advisory, Mitigation · security-advisories@github.com