Wazuh Open Source SIEM Vulnerability Allows Malicious Code Execution Remotely
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Cybersecurity researchers have disclosed a critical remote code execution vulnerability (CVE-2025-24016) affecting Wazuh, a widely-used open-source security information and event management (SIEM) platform.
The vulnerability, which carries a severe CVSS score of 9.9, impacts versions 4.4.0 through 4.9.0 and allows attackers with API access to execute arbitrary Python code on Wazuh servers.
The flaw stems from unsafe deserialization in the DistributedAPI (DAPI) component, where parameters are serialized as JSON and later deserialized using the as_wazuh_object function located in framework/wazuh/core/cluster/common.py.
This function contains a critical security flaw that permits the execution of arbitrary code when processing maliciously crafted JSON payloads.
The vulnerable code snippet prior to patching is particularly concerning:
According to CVE reports, attackers can exploit this vulnerability by crafting a malicious JSON payload containing a dictionary with the __unhandled_exc__ key. For example, the following payload can execute arbitrary system commands:
When processed by the vulnerable as_wazuh_object function, this payload would execute the command touch /tmp/pwned on the server.
The summary of the vulnerability is given below:
Risk Factors Details Affected ProductsWazuh (versions 4.4.0 through 4.9.0)ImpactRemote code execution with system-level privilegesExploit PrerequisitesAPI access to Wazuh serverCVSS 3.1 Score9.9 (Critical)
PoC Exploit
A proof-of-concept exploit has been published, demonstrating how attackers can trigger the vulnerability using the run_as endpoint with a simple curl command:
This vulnerability is reminiscent of the notorious Apache Struts deserialization vulnerability (CVE-2017-5638) that led to the Equifax breach in 2017, though it requires API access rather than arbitrary HTTP requests.
Mitigations
The impact of this vulnerability is significant as Wazuh servers are typically central components of an organization’s security infrastructure.
Successful exploitation would grant attackers the ability to execute arbitrary code with the privileges of the Wazuh service, potentially leading to data theft, service disruption, or lateral movement through the network.
Wazuh has patched this vulnerability in version 4.9.1 by replacing the unsafe eval() function with the secure ast.literal_eval() function, which safely evaluates a string containing Python literals without executing arbitrary code.
Security experts are urging organizations running affected Wazuh versions to update immediately.
“This is a critical vulnerability that should be addressed with the highest priority,” warns the Centre for Cybersecurity Belgium.
For organizations unable to update immediately, experts recommend implementing network segmentation, restricting API access, monitoring API traffic for suspicious activity, and using Web Application Firewalls (WAFs) to detect and block malicious requests.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN ->Start Now for Free.
#Cyber_Security #Cyber_Security_News #Vulnerability #Vulnerability_News #cyber_security #cyber_security_news
Оригинальная версия на сайте:
Wazuh Open Source SIEM Vulnerability Allows Malicious Code Execution Remotely
Author: Guru BaranCybersecurity researchers have disclosed a critical remote code execution vulnerability (CVE-2025-24016) affecting Wazuh, a widely-used open-source security information and event management (SIEM) platform.
The vulnerability, which carries a severe CVSS score of 9.9, impacts versions 4.4.0 through 4.9.0 and allows attackers with API access to execute arbitrary Python code on Wazuh servers.
The flaw stems from unsafe deserialization in the DistributedAPI (DAPI) component, where parameters are serialized as JSON and later deserialized using the as_wazuh_object function located in framework/wazuh/core/cluster/common.py.
This function contains a critical security flaw that permits the execution of arbitrary code when processing maliciously crafted JSON payloads.
The vulnerable code snippet prior to patching is particularly concerning:
According to CVE reports, attackers can exploit this vulnerability by crafting a malicious JSON payload containing a dictionary with the __unhandled_exc__ key. For example, the following payload can execute arbitrary system commands:
When processed by the vulnerable as_wazuh_object function, this payload would execute the command touch /tmp/pwned on the server.
The summary of the vulnerability is given below:
Risk Factors Details Affected ProductsWazuh (versions 4.4.0 through 4.9.0)ImpactRemote code execution with system-level privilegesExploit PrerequisitesAPI access to Wazuh serverCVSS 3.1 Score9.9 (Critical)
PoC Exploit
A proof-of-concept exploit has been published, demonstrating how attackers can trigger the vulnerability using the run_as endpoint with a simple curl command:
This vulnerability is reminiscent of the notorious Apache Struts deserialization vulnerability (CVE-2017-5638) that led to the Equifax breach in 2017, though it requires API access rather than arbitrary HTTP requests.
Mitigations
The impact of this vulnerability is significant as Wazuh servers are typically central components of an organization’s security infrastructure.
Successful exploitation would grant attackers the ability to execute arbitrary code with the privileges of the Wazuh service, potentially leading to data theft, service disruption, or lateral movement through the network.
Wazuh has patched this vulnerability in version 4.9.1 by replacing the unsafe eval() function with the secure ast.literal_eval() function, which safely evaluates a string containing Python literals without executing arbitrary code.
Security experts are urging organizations running affected Wazuh versions to update immediately.
“This is a critical vulnerability that should be addressed with the highest priority,” warns the Centre for Cybersecurity Belgium.
For organizations unable to update immediately, experts recommend implementing network segmentation, restricting API access, monitoring API traffic for suspicious activity, and using Web Application Firewalls (WAFs) to detect and block malicious requests.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN ->Start Now for Free.
#Cyber_Security #Cyber_Security_News #Vulnerability #Vulnerability_News #cyber_security #cyber_security_news
Оригинальная версия на сайте:
