CVE-2025-24016 (GCVE-0-2025-24016)

Vulnerability from cvelistv5 – Published: 2025-02-10 19:08 – Updated: 2026-02-26 19:09
Title
Remote code execution in Wazuh server
Summary
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.
SSVC
Exploitation: active Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
Vendor Product Version
wazuh wazuh Affected: >= 4.4.0, < 4.9.1
Create a notification for this product.
CISA
Known Exploited Vulnerability - GCVE BCP-07 Compliant

Vulnerability ID: CVE-2025-24016

Status: Confirmed

Status Updated: 2025-06-10 00:00 UTC

Exploited: Yes


Timestamps
First Seen: 2025-06-10
Asserted: 2025-06-10

Scope
Notes: KEV entry: Wazuh Server Deserialization of Untrusted Data Vulnerability | Affected: Wazuh / Wazuh Server | Description: Wazuh contains a deserialization of untrusted data vulnerability that allows for remote code execution on Wazuh servers. | Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. | Due date: 2025-07-01 | Known ransomware campaign use (KEV): Unknown | Notes (KEV): https://wazuh.com/blog/addressing-the-cve-2025-24016-vulnerability/ ; https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh ; https://nvd.nist.gov/vuln/detail/CVE-2025-24016

Evidence

Type: Vendor Report

Signal: Successful Exploitation

Confidence: 80%

Source: cisa-kev


Details
Cwes CWE-502
Feed CISA Known Exploited Vulnerabilities Catalog
Product Wazuh Server
Due Date 2025-07-01
Date Added 2025-06-10
Vendorproject Wazuh
Vulnerabilityname Wazuh Server Deserialization of Untrusted Data Vulnerability
Knownransomwarecampaignuse Unknown

References

Created: 2026-02-02 12:25 UTC | Updated: 2026-02-06 07:17 UTC
Shadowserver
Known Exploited Vulnerability - GCVE BCP-07 Compliant

Vulnerability ID: CVE-2025-24016

Status: Confirmed

Status Updated: 2025-05-16 00:00 UTC

Exploited: Yes


Characteristics
Severity: 99.0

Timestamps
First Seen: 2025-05-03
Asserted: 2025-05-03
Last Seen: 2025-05-16

Scope
Asset Exposure: ['internet-facing']
Notes: Affected: Wazuh / Wazuh | Class: security-management-platform | Severity: Critical (CVSS 9.9) | IoT: no | In CISA KEV: no | Honeypot connections on 2025-05-16: 3

Evidence

Type: Honeypot

Signal: In The Wild Attempts

Confidence: 70%

Source: shadowserver


Details
1D 1
Iot no
Feed Shadowserver Foundation honeypot/exploited-vulnerabilities
Type http-scan
Class security-management-platform
7D Avg 0
Vendor Wazuh
30D Avg 0
90D Avg 0
Product Wazuh
Cisa Kev no
Connections 3
Observation Date 2025-05-16
Vulnerability Class CVSS
Vulnerability Score 9.9
Vulnerability Severity Critical

References

Created: 2026-06-30 09:42 UTC | Updated: 2026-06-30 11:54 UTC
KEVIntel
Known Exploited Vulnerability - GCVE BCP-07 Compliant

Vulnerability ID: CVE-2025-24016

Status: Confirmed

Status Updated: 2026-06-01 10:32 UTC

Exploited: Yes


Timestamps
First Seen: 2026-06-01
Asserted: 2026-06-01

Scope
Notes: KEVIntel entry: Remote code execution in Wazuh server | Affected: wazuh / wazuh | CVSS: 9.9 (CRITICAL) | EPSS: 0.92579 | Used in malware: unknown | Not yet in CISA KEV: False

Evidence

Type: Public Report

Signal: Successful Exploitation

Confidence: 70%

Source: kevintel


Details
Feed KEVIntel (kevintel.com)
Title Remote code execution in Wazuh server
Vendor wazuh
Product wazuh
Added Date 2026-06-01T10:32:30.977Z
Cvss Score 9.9
Epss Score 0.92579
Cvss Severity CRITICAL
Epss Percentile 0.99814
Used In Malware unknown
Ahead Of Cisa Kev
{
  "count": 1,
  "unit": "day"
}
Not Yet In Cisa Kev False

References

Created: 2026-06-23 14:03 UTC | Updated: 2026-06-23 14:03 UTC
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-24016",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-20T03:56:07.089496Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-06-10",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24016"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T19:09:19.971Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24016"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2025-06-10T00:00:00.000Z",
            "value": "CVE-2025-24016 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wazuh",
          "vendor": "wazuh",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.4.0, \u003c 4.9.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-10T19:08:09.058Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh"
        }
      ],
      "source": {
        "advisory": "GHSA-hcrc-79hj-m3qh",
        "discovery": "UNKNOWN"
      },
      "title": "Remote code execution in Wazuh server"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-24016",
    "datePublished": "2025-02-10T19:08:09.058Z",
    "dateReserved": "2025-01-16T17:31:06.458Z",
    "dateUpdated": "2026-02-26T19:09:19.971Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2025-24016",
      "cwes": "[\"CWE-502\"]",
      "dateAdded": "2025-06-10",
      "dueDate": "2025-07-01",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://wazuh.com/blog/addressing-the-cve-2025-24016-vulnerability/ ; https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh ; https://nvd.nist.gov/vuln/detail/CVE-2025-24016",
      "product": "Wazuh Server",
      "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
      "shortDescription": "Wazuh contains a deserialization of untrusted data vulnerability that allows for remote code execution on Wazuh servers.",
      "vendorProject": "Wazuh",
      "vulnerabilityName": "Wazuh Server Deserialization of Untrusted Data Vulnerability"
    },
    "epss": {
      "cve": "CVE-2025-24016",
      "date": "2026-07-01",
      "epss": "0.92579",
      "percentile": "0.99813"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-24016\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-02-10T20:15:42.540\",\"lastModified\":\"2026-06-17T08:57:53.677\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.\"},{\"lang\":\"es\",\"value\":\"Wazuh es una plataforma gratuita y de c\u00f3digo abierto que se utiliza para la prevenci\u00f3n, detecci\u00f3n y respuesta ante amenazas. A partir de la versi\u00f3n 4.4.0 y antes de la versi\u00f3n 4.9.1, una vulnerabilidad de deserializaci\u00f3n insegura permite la ejecuci\u00f3n remota de c\u00f3digo en servidores Wazuh. Los par\u00e1metros de DistributedAPI se serializan como JSON y se deserializan utilizando `as_wazuh_object` (en `framework/wazuh/core/cluster/common.py`). Si un atacante logra inyectar un diccionario no depurado en una solicitud/respuesta DAPI, puede falsificar una excepci\u00f3n no controlada (`__unhandled_exc__`) para evaluar c\u00f3digo Python arbitrario. La vulnerabilidad puede ser activada por cualquier persona con acceso a la API (panel de control comprometido o servidores Wazuh en el cl\u00faster) o, en ciertas configuraciones, incluso por un agente comprometido. La versi\u00f3n 4.9.1 contiene una correcci\u00f3n.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"wazuh\",\"product\":\"wazuh\",\"versions\":[{\"version\":\"\u003e= 4.4.0, \u003c 4.9.1\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2025-08-20T03:56:07.089496Z\",\"id\":\"CVE-2025-24016\",\"options\":[{\"exploitation\":\"active\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"cisaExploitAdd\":\"2025-06-10\",\"cisaActionDue\":\"2025-07-01\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"Wazuh Server Deserialization of Untrusted Data Vulnerability\",\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.4.0\",\"versionEndExcluding\":\"4.9.1\",\"matchCriteriaId\":\"EB8004AB-265E-4432-AC10-8361DCFC1F56\"}]}]}],\"references\":[{\"url\":\"https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24016\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-24016\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-20T03:56:07.089496Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2025-06-10\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24016\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-06-10T00:00:00.000Z\", \"value\": \"CVE-2025-24016 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24016\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-12T15:49:19.443Z\"}}], \"cna\": {\"title\": \"Remote code execution in Wazuh server\", \"source\": {\"advisory\": \"GHSA-hcrc-79hj-m3qh\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"wazuh\", \"product\": \"wazuh\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.4.0, \u003c 4.9.1\"}]}], \"references\": [{\"url\": \"https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh\", \"name\": \"https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502: Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-02-10T19:08:09.058Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-24016\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-26T19:09:19.971Z\", \"dateReserved\": \"2025-01-16T17:31:06.458Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-02-10T19:08:09.058Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…