Wazuh Server 4.4.0 < 4.9.1 RCE

critical Nessus Plugin ID 235712

Language:

Synopsis

The remote host contains a threat prevention, detection, and response platform that is affected by a remote code execution vulnerability.

Description

The version of Wazuh Server on the remote host is at least 4.4.0 and prior to 4.9.1. It is, therefore, affected by a remote code execution vulnerability:

- Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix. (CVE-2025-24016)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Wazuh Server version 4.9.1 or later.

Plugin Details

Severity: Critical

ID: 235712

File Name: wazuh_server_4_9_1.nasl

Version: 1.1

Type: local

Agent: unix

Family: Misc.

Published: 5/12/2025

Updated: 5/12/2025

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.9

CVSS v2

Risk Factor: High

Base Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:C/A:C

CVSS Score Source: CVE-2025-24016

CVSS v3

Risk Factor: Critical

Base Score: 9.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H

Vulnerability Information

CPE: cpe:/a:wazuh:wazuh

Patch Publication Date: 2/10/2025

Vulnerability Publication Date: 2/10/2025

Reference Information

CVE: CVE-2025-24016

IAVA: 2025-A-0297

Detections

Analytics