Wazuh SIEM Vulnerability Enables Remote Malicious Code Execution

A critical vulnerability, identified as CVE-2025-24016, has been discovered in the Wazuh Security Information and Event Management (SIEM) platform.

This vulnerability affects versions 4.4.0 to 4.9.0 and allows attackers with API access to execute arbitrary Python code remotely, potentially leading to complete system compromise.

The flaw stems from the unsafe deserialization of Distributed API (DAPI) parameters, which are used for communication between Wazuh components, as per the report by CVE reports.

Vulnerability Details

The following table highlights the key details about the CVE-2025-24016 vulnerability and the affected Wazuh products:

The vulnerability resides in the as_wazuh_object function within the framework/wazuh/core/cluster/common.py file.

This function is responsible for deserializing JSON data received through the Distributed API. The problematic code snippet before the patch is shown below:

def as_wazuh_object(dct: Dict):
    try:
        if '__wazuh_datetime__' in dct:
            return datetime.datetime.fromisoformat(dct['__wazuh_datetime__'])
        elif '__unhandled_exc__' in dct:
            exc_data = dct['__unhandled_exc__']
            return eval(exc_data['__class__'])(*exc_data['__args__'])
        return dct
    except (KeyError, AttributeError):
        return dct

This code uses the eval function to execute arbitrary Python code based on data provided in the __class__ and __args__ fields, making it a prime target for exploitation.

Impact and Exploitation

An attacker can exploit this vulnerability by sending a malicious JSON payload to the Wazuh server through the API.

The payload must contain the __unhandled_exc__ key, along with the __class__ and __args__ values that specify the code to be executed. For example:

{
    "__unhandled_exc__": {
        "__class__": "os.system",
        "__args__": ["touch /tmp/pwned"]
    }
}

When processed by the as_wazuh_object function, this payload would execute the command os.system(“touch /tmp/pwned”), creating a file named /tmp/pwned on the Wazuh server.

Patch and Mitigation

The vulnerability was patched in Wazuh version 4.9.1 by replacing the unsafe eval function with ast.literal_eval.

The latter safely evaluates a string containing a Python literal, preventing arbitrary code execution. Here’s the modified code snippet:

def as_wazuh_object(dct: Dict):
    try:
        if '__wazuh_datetime__' in dct:
            return datetime.datetime.fromisoformat(dct['__wazuh_datetime__'])
        elif '__unhandled_exc__' in dct:
            exc_data = dct['__unhandled_exc__']
            exc_dict = {exc_data['__class__']: exc_data['__args__']}
            return ast.literal_eval(json.dumps(exc_dict))
        return dct
    except (KeyError, AttributeError):
        return dct

Mitigation Strategies

To mitigate the risk of CVE-2025-24016, organizations should:

• Upgrade to Wazuh version 4.9.1 or later.
• Restrict API access to authorized users and systems.
• Implement strong authentication mechanisms, such as multi-factor authentication.
• Monitor API traffic for suspicious activity.
• Regularly review and update security configurations.
• Implement network segmentation to limit the impact of a successful attack.

Using a Web Application Firewall (WAF) can also help detect and block malicious requests before they reach the Wazuh server.

The exploitation of CVE-2025-24016 can have severe consequences, including:

• Complete control of the Wazuh server: Allowing attackers to access sensitive data and modify configurations.
• Compromise of the entire Wazuh cluster: By gaining control of the master server.
• Disruption of security monitoring: Enabling attackers to carry out further attacks undetected.
• Theft of sensitive data: Accessing logs, alerts, and other data stored on the server.
• Using the Wazuh server for further attacks: Serving as a launching pad for lateral movement within the network.

Ensuring timely patching and implementing robust security measures are crucial in preventing such attacks.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.