Tuesday, May 20, 2025
HomeCVE/vulnerabilityWazuh SIEM Vulnerability Enables Remote Malicious Code Execution

Wazuh SIEM Vulnerability Enables Remote Malicious Code Execution

Published on

SIEM as a Service

Follow Us on Google News

A critical vulnerability, identified as CVE-2025-24016, has been discovered in the Wazuh Security Information and Event Management (SIEM) platform.

This vulnerability affects versions 4.4.0 to 4.9.0 and allows attackers with API access to execute arbitrary Python code remotely, potentially leading to complete system compromise.

The flaw stems from the unsafe deserialization of Distributed API (DAPI) parameters, which are used for communication between Wazuh components, as per the report by CVE reports.

- Advertisement - Google News

Vulnerability Details

The following table highlights the key details about the CVE-2025-24016 vulnerability and the affected Wazuh products:

CVE IDAffected SoftwareVersionsVulnerability TypeSeverity (CVSSv3.1)Patch Version
CVE-2025-24016Wazuh SIEM Platform4.4.0 to 4.9.0Remote Code Execution (RCE)9.9 (Critical)4.9.1

The vulnerability resides in the as_wazuh_object function within the framework/wazuh/core/cluster/common.py file.

This function is responsible for deserializing JSON data received through the Distributed API. The problematic code snippet before the patch is shown below:

def as_wazuh_object(dct: Dict):
    try:
        if '__wazuh_datetime__' in dct:
            return datetime.datetime.fromisoformat(dct['__wazuh_datetime__'])
        elif '__unhandled_exc__' in dct:
            exc_data = dct['__unhandled_exc__']
            return eval(exc_data['__class__'])(*exc_data['__args__'])
        return dct
    except (KeyError, AttributeError):
        return dct

This code uses the eval function to execute arbitrary Python code based on data provided in the __class__ and __args__ fields, making it a prime target for exploitation.

Impact and Exploitation

An attacker can exploit this vulnerability by sending a malicious JSON payload to the Wazuh server through the API.

The payload must contain the __unhandled_exc__ key, along with the __class__ and __args__ values that specify the code to be executed. For example:

{
    "__unhandled_exc__": {
        "__class__": "os.system",
        "__args__": ["touch /tmp/pwned"]
    }
}

When processed by the as_wazuh_object function, this payload would execute the command os.system(“touch /tmp/pwned”), creating a file named /tmp/pwned on the Wazuh server.

Patch and Mitigation

The vulnerability was patched in Wazuh version 4.9.1 by replacing the unsafe eval function with ast.literal_eval.

The latter safely evaluates a string containing a Python literal, preventing arbitrary code execution. Here’s the modified code snippet:

def as_wazuh_object(dct: Dict):
    try:
        if '__wazuh_datetime__' in dct:
            return datetime.datetime.fromisoformat(dct['__wazuh_datetime__'])
        elif '__unhandled_exc__' in dct:
            exc_data = dct['__unhandled_exc__']
            exc_dict = {exc_data['__class__']: exc_data['__args__']}
            return ast.literal_eval(json.dumps(exc_dict))
        return dct
    except (KeyError, AttributeError):
        return dct

Mitigation Strategies

To mitigate the risk of CVE-2025-24016, organizations should:

  • Upgrade to Wazuh version 4.9.1 or later.
  • Restrict API access to authorized users and systems.
  • Implement strong authentication mechanisms, such as multi-factor authentication.
  • Monitor API traffic for suspicious activity.
  • Regularly review and update security configurations.
  • Implement network segmentation to limit the impact of a successful attack.

Using a Web Application Firewall (WAF) can also help detect and block malicious requests before they reach the Wazuh server.

The exploitation of CVE-2025-24016 can have severe consequences, including:

  • Complete control of the Wazuh server: Allowing attackers to access sensitive data and modify configurations.
  • Compromise of the entire Wazuh cluster: By gaining control of the master server.
  • Disruption of security monitoring: Enabling attackers to carry out further attacks undetected.
  • Theft of sensitive data: Accessing logs, alerts, and other data stored on the server.
  • Using the Wazuh server for further attacks: Serving as a launching pad for lateral movement within the network.

Ensuring timely patching and implementing robust security measures are crucial in preventing such attacks.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Accenture Files Leak – New Research Reveals Projects Controlling Billions of User Data

A new research report released today by Progressive International, Expose Accenture, and the Movement...

Kimsuky APT Group Deploys PowerShell Payloads to Deliver XWorm RAT

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by the notorious Kimsuky Advanced...

More_Eggs Malware Uses Job Application Emails to Distribute Malicious Payloads

The More_Eggs malware, operated by the financially motivated Venom Spider group (also known as...

RedisRaider Campaign Targets Linux Servers by Exploiting Misconfigured Redis Instances

Datadog Security Research has uncovered a formidable new cryptojacking campaign dubbed "RedisRaider," specifically targeting...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Accenture Files Leak – New Research Reveals Projects Controlling Billions of User Data

A new research report released today by Progressive International, Expose Accenture, and the Movement...

Kimsuky APT Group Deploys PowerShell Payloads to Deliver XWorm RAT

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by the notorious Kimsuky Advanced...

More_Eggs Malware Uses Job Application Emails to Distribute Malicious Payloads

The More_Eggs malware, operated by the financially motivated Venom Spider group (also known as...