External risk intelligence

Wazuh Server Remote Code Execution Vulnerability.

CVE advisoryKnown Exploit

CVE-2025-24016

Wazuh servers are affected by an unsafe deserialization vulnerability. This could allow an attacker with API access to execute arbitrary code on servers, impacting system integrity and confidentiality. The risk is heightened as this vulnerability is actively exploited. Organizations using vulnerable versions should pri

4Halo Surface Signal

Deserialization

Wazuh

4.4.0 to before 4.9.1

External exposure likelihood

Halo Surface Signal score for CVE-2025-24016

Wazuh is a security platform that includes an API and dashboard interface often exposed to manage security agents across a network. As a centralized management and monitoring server, its API surfaces are commonly accessible to authenticated users or integrated services within an environment, making them a standard, reachable management interface.

Horizon Alert

Summary of the vulnerability and why it matters

Wazuh servers are susceptible to an unsafe deserialization vulnerability. This flaw can permit an attacker to execute arbitrary code on the server. The potential impact includes unauthorized access and control over affected systems.

Wazuh servers

-Unsafe deserialization flaw -Remote code execution

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by injecting unsanitized data into API requests or responses, leading to arbitrary Python code execution on Wazuh servers. This could allow an attacker to gain control over the server. The vulnerability is present in specific versions of the Wazuh platform.

Exposure via Wazuh API.
Attacker accesses API with crafted data.
Unhandled exception executes arbitrary code.

Live Threat

Current exploitation, exposure, and threat context

A critical vulnerability exists within Wazuh servers that could allow for remote code execution. This flaw could enable an attacker to execute arbitrary Python code on affected Wazuh servers, potentially leading to a compromise of the entire system. The risk is amplified as this vulnerability has been added to the Known Exploited Vulnerabilities catalog, indicating active exploitation. Organizations using vulnerable versions of Wazuh should prioritize remediation to mitigate business risk.

Attackers with low skill level.
Requires API access.
High business risk, urgent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Wazuh allows for remote code execution on servers, posing a significant risk to the confidentiality, integrity, and availability of organizational data and systems. Attackers with API access or, in some configurations, compromised agents can exploit this by injecting unsanitized data, leading to arbitrary Python code evaluation. The disclosed vulnerability is actively exploited, and organizations should prioritize remediation to mitigate potential business disruption and security breaches.

Identify all Wazuh servers and their versions.
Restrict API access and monitor for unusual activity.
Apply vendor updates and validate system integrity.

Frequently asked questions

What is the primary function of Wazuh and what kind of vulnerability does it have?

Wazuh is a free and open-source platform designed for threat prevention, detection, and response. It is currently affected by an unsafe deserialization vulnerability that can lead to remote code execution on its servers.

What type of weakness does CVE-2025-24016 represent in Wazuh servers?

CVE-2025-24016 is classified as CWE-502, which corresponds to 'Deserialization of Untrusted Data'. This weakness allows an attacker to execute arbitrary Python code on vulnerable Wazuh servers by injecting unsanitized data.

How can an attacker trigger the remote code execution vulnerability in Wazuh servers?

An attacker can trigger this vulnerability by injecting an unsanitized dictionary into a DAPI (Distributed API) request or response. This can lead to an unhandled exception that evaluates arbitrary Python code, especially when parameters are serialized as JSON and deserialized using `as_wazuh_object`.

Why is CVE-2025-24016 considered a significant threat, and is it actively exploited?

This vulnerability allows for remote code execution, posing a critical risk to system integrity and data. It has been added to the Known Exploited Vulnerabilities catalog, indicating that it is actively exploited in the wild, making remediation urgent.

What actions should organizations take to address the Wazuh vulnerability?

Organizations should identify all Wazuh servers and their versions, apply the vendor-provided fix in version 4.9.1, restrict API access, and monitor for unusual activity. Discontinuing use is an option if mitigations are unavailable.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.