A critical vulnerability, CVE-2025-24016, has been found in the Wazuh SIEM platform, affecting versions 4.4.0 to 4.9.0.
Wazuh SIEM vulnerability
It allows attackers with API access to remotely execute arbitrary Python code, potentially compromising the system. The issue arises from unsafe deserialization of Distributed API (DAPI) parameters used for communication between Wazuh components, according to CVE reports.
The table below shows key details about the CVE-2025-24016 vulnerability and the affected Wazuh products:
| CVE ID | Affected Software | Versions | Vulnerability Type | Severity (CVSSv3.1) | Patch Version |
|---|---|---|---|---|---|
| CVE-2025-24016 | Wazuh SIEM Platform | 4.4.0 to 4.9.0 | Remote Code Execution | 9.9 (Critical) | 4.9.1 |
The vulnerability is found in the as_wazuh_object function within the framework/wazuh/core/cluster/common.py file. This function deserializes JSON data from the Distributed API. The code snippet before the patch is shown below:
def as_wazuh_object(dct: Dict):
try:
if ‘wazuh_datetime‘ in dct:
return datetime.datetime.fromisoformat(dct[‘wazuh_datetime‘])
elif ‘unhandled_exc‘ in dct:
exc_data = dct[‘unhandled_exc‘]
return eval(exc_data[‘class‘])(*exc_data[‘args‘])
return dct
except (KeyError, AttributeError):
return dct
This code uses the eval function to run arbitrary Python code from the class and args fields, making it highly exploitable.
Impact and Exploitation
An attacker can exploit this vulnerability by sending a malicious JSON payload to the Wazuh server via the API. The payload must include the unhandled_exc key, along with class and args values to specify the code to execute. For example:
When processed by the as_wazuh_object function, the payload executes the command os.system("touch /tmp/pwned"), creating a /tmp/pwned file on the Wazuh server.
{
“unhandled_exc“: {
“class“: “os.system”,
“args“: [“touch /tmp/pwned”]
}
}
Mitigation
The vulnerability was fixed in Wazuh version 4.9.1 by replacing the unsafe eval function with ast.literal_eval, which safely evaluates a string containing a Python literal to prevent arbitrary code execution. Here’s the updated code snippet:
def as_wazuh_object(dct: Dict):
try:
if ‘wazuh_datetime‘ in dct:
return datetime.datetime.fromisoformat(dct[‘wazuh_datetime‘])
elif ‘unhandled_exc‘ in dct:
exc_data = dct[‘unhandled_exc‘]
exc_dict = {exc_data[‘class‘]: exc_data[‘args‘]}
return ast.literal_eval(json.dumps(exc_dict))
return dct
except (KeyError, AttributeError):
return dct
To reduce the risk of CVE-2025-24016, organizations should take the following actions:
- Upgrade to Wazuh version 4.9.1 or later.
- Restrict API access to authorized users and systems.
- Implement strong authentication, such as multi-factor authentication.
- Monitor API traffic for unusual activity.
- Regularly review and update security settings.
- Use network segmentation to limit attack impact.
- A Web Application Firewall (WAF) can help detect and block malicious requests before they reach the Wazuh server.
Exploiting CVE-2025-24016 can lead to severe consequences, including:
- Full control of the Wazuh server, allowing attackers to access sensitive data and change configurations.
- Compromise of the entire Wazuh cluster by taking over the master server.
- Disruption of security monitoring, enabling further undetected attacks.
- Theft of sensitive data, including logs and alerts.
- Using the Wazuh server as a launch point for other network attacks.
Timely patching and strong security measures are essential to prevent such attacks.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment