Saturday, May 3, 2025
HomeCVE/vulnerabilityWazuh SIEM Vulnerability Enables Remote Malicious Code Execution

Wazuh SIEM Vulnerability Enables Remote Malicious Code Execution

Published on

SIEM as a Service

Follow Us on Google News

A critical vulnerability, identified as CVE-2025-24016, has been discovered in the Wazuh Security Information and Event Management (SIEM) platform.

This vulnerability affects versions 4.4.0 to 4.9.0 and allows attackers with API access to execute arbitrary Python code remotely, potentially leading to complete system compromise.

The flaw stems from the unsafe deserialization of Distributed API (DAPI) parameters, which are used for communication between Wazuh components, as per the report by CVE reports.

- Advertisement - Google News

Vulnerability Details

The following table highlights the key details about the CVE-2025-24016 vulnerability and the affected Wazuh products:

CVE IDAffected SoftwareVersionsVulnerability TypeSeverity (CVSSv3.1)Patch Version
CVE-2025-24016Wazuh SIEM Platform4.4.0 to 4.9.0Remote Code Execution (RCE)9.9 (Critical)4.9.1

The vulnerability resides in the as_wazuh_object function within the framework/wazuh/core/cluster/common.py file.

This function is responsible for deserializing JSON data received through the Distributed API. The problematic code snippet before the patch is shown below:

def as_wazuh_object(dct: Dict):
    try:
        if '__wazuh_datetime__' in dct:
            return datetime.datetime.fromisoformat(dct['__wazuh_datetime__'])
        elif '__unhandled_exc__' in dct:
            exc_data = dct['__unhandled_exc__']
            return eval(exc_data['__class__'])(*exc_data['__args__'])
        return dct
    except (KeyError, AttributeError):
        return dct

This code uses the eval function to execute arbitrary Python code based on data provided in the __class__ and __args__ fields, making it a prime target for exploitation.

Impact and Exploitation

An attacker can exploit this vulnerability by sending a malicious JSON payload to the Wazuh server through the API.

The payload must contain the __unhandled_exc__ key, along with the __class__ and __args__ values that specify the code to be executed. For example:

{
    "__unhandled_exc__": {
        "__class__": "os.system",
        "__args__": ["touch /tmp/pwned"]
    }
}

When processed by the as_wazuh_object function, this payload would execute the command os.system(“touch /tmp/pwned”), creating a file named /tmp/pwned on the Wazuh server.

Patch and Mitigation

The vulnerability was patched in Wazuh version 4.9.1 by replacing the unsafe eval function with ast.literal_eval.

The latter safely evaluates a string containing a Python literal, preventing arbitrary code execution. Here’s the modified code snippet:

def as_wazuh_object(dct: Dict):
    try:
        if '__wazuh_datetime__' in dct:
            return datetime.datetime.fromisoformat(dct['__wazuh_datetime__'])
        elif '__unhandled_exc__' in dct:
            exc_data = dct['__unhandled_exc__']
            exc_dict = {exc_data['__class__']: exc_data['__args__']}
            return ast.literal_eval(json.dumps(exc_dict))
        return dct
    except (KeyError, AttributeError):
        return dct

Mitigation Strategies

To mitigate the risk of CVE-2025-24016, organizations should:

  • Upgrade to Wazuh version 4.9.1 or later.
  • Restrict API access to authorized users and systems.
  • Implement strong authentication mechanisms, such as multi-factor authentication.
  • Monitor API traffic for suspicious activity.
  • Regularly review and update security configurations.
  • Implement network segmentation to limit the impact of a successful attack.

Using a Web Application Firewall (WAF) can also help detect and block malicious requests before they reach the Wazuh server.

The exploitation of CVE-2025-24016 can have severe consequences, including:

  • Complete control of the Wazuh server: Allowing attackers to access sensitive data and modify configurations.
  • Compromise of the entire Wazuh cluster: By gaining control of the master server.
  • Disruption of security monitoring: Enabling attackers to carry out further attacks undetected.
  • Theft of sensitive data: Accessing logs, alerts, and other data stored on the server.
  • Using the Wazuh server for further attacks: Serving as a launching pad for lateral movement within the network.

Ensuring timely patching and implementing robust security measures are crucial in preventing such attacks.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Hundreds of Fortune 500 Companies Have Unknowingly Employed North Korean IT Operatives

North Korean nationals have successfully infiltrated the employee ranks of major global corporations at...

Stealthy New NodeJS Backdoor Infects Users Through CAPTCHA Verifications

Security researchers have uncovered a sophisticated malware campaign utilizing fake CAPTCHA verification screens to...

State-Sponsored Hacktivism on the Rise, Transforming the Cyber Threat Landscape

Global cybersecurity landscape is undergoing a significant transformation, as state-sponsored hacktivism gains traction amid...

NVIDIA Riva AI Speech Flaw Let Hackers Gain Unauthorized Access to Abuse GPU Resources & API keys

Researchers have uncovered significant security vulnerabilities in NVIDIA Riva, a breakthrough AI speech technology...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hundreds of Fortune 500 Companies Have Unknowingly Employed North Korean IT Operatives

North Korean nationals have successfully infiltrated the employee ranks of major global corporations at...

State-Sponsored Hacktivism on the Rise, Transforming the Cyber Threat Landscape

Global cybersecurity landscape is undergoing a significant transformation, as state-sponsored hacktivism gains traction amid...

Stealthy New NodeJS Backdoor Infects Users Through CAPTCHA Verifications

Security researchers have uncovered a sophisticated malware campaign utilizing fake CAPTCHA verification screens to...