CVE-2025-24016 : Wazuh is a free and open source platform used for threat prevention, detection,

Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.

Published 2025-02-10 19:08:09

Updated 2025-06-11 21:11:45

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2025-24016

Wazuh » Wazuh
Versions from including (>=) 4.4.0 and before (<) 4.9.1
cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*
Matching versions

CVE-2025-24016 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Wazuh Server Deserialization of Untrusted Data Vulnerability

CISA required action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA description:

Wazuh contains a deserialization of untrusted data vulnerability that allows for remote code execution on Wazuh servers.

Notes:

https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh ; https://nvd.nist.gov/vuln/detail/CVE-2025-24016

Added on 2025-06-10 Action due date 2025-07-01

Exploit prediction scoring system (EPSS) score for CVE-2025-24016

EPSS FAQ

91.49%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2025-24016

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.9	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H	N/A	N/A	GitHub, Inc.	2025-02-10
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: Low Integrity: High Availability: High
9.9	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H	3.1	6.0	GitHub, Inc.	2025-02-10
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: Low Integrity: High Availability: High

CWE ids for CVE-2025-24016

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Assigned by:
- a0819718-46f1-4df5-94e2-005712e83aaa (Primary)
- security-advisories@github.com (Primary)

References for CVE-2025-24016

https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh

Exploit;Vendor Advisory