CVE-2025-24016
CRITICAL KEV NUCLEIWazuh server remote code execution caused by an unsafe deserialization vulnerability.
Title source: metasploitExploitation Summary
CVE-2025-24016 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 10, 2025.
EIP tracks 9 public exploits from researchers including 0xjessie21, guinea-offensive-security, MuhammadWaseem29, including a Metasploit module exploits/linux/http/wazuh_auth_rce_cve_2025_24016.
A Nuclei detection template is also available.
AI-analyzed exploit summary This is a functional exploit PoC for CVE-2025-24016, targeting an unsafe deserialization vulnerability in Wazuh servers. It leverages dictionary injection in DAPI requests to achieve remote code execution via a reverse shell.
Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.
Exploits (9)
This is a functional exploit PoC for CVE-2025-24016, targeting an unsafe deserialization vulnerability in Wazuh servers. It leverages dictionary injection in DAPI requests to achieve remote code execution via a reverse shell.
This PoC exploits a deserialization vulnerability in Wazuh to achieve remote code execution (RCE) via a crafted JSON payload. It establishes a reverse shell to a specified IP and port using a bash command injected through the `__unhandled_exc__` key.
This PoC demonstrates a remote code execution (RCE) vulnerability in Wazuh server due to unsafe deserialization in the `wazuh-manager` package. The exploit leverages the `run_as` endpoint to inject malicious payloads, leading to arbitrary code execution on the server.
This repository contains a Nuclei template designed to detect an unsafe deserialization vulnerability (CVE-2025-24016) in Wazuh servers. The template sends a crafted JSON payload to trigger a NameError, indicating the presence of the vulnerability.
This repository contains a Nuclei HTTP template for detecting CVE-2025-24016, an unsafe deserialization vulnerability in Wazuh web interface versions 4.4.0 to 4.9.0. The template checks for the presence of the Wazuh UI and confirms the version range to identify potential exposure to RCE.
This repository contains a functional PoC for CVE-2025-24016, exploiting unsafe deserialization in Wazuh's DistributedAPI to achieve remote code execution via crafted JSON payloads. The exploit leverages Python's `__reduce__` method to execute arbitrary commands on the target system.
This PoC demonstrates a remote code execution (RCE) vulnerability in Wazuh server due to unsafe deserialization in the `wazuh-manager` package. The exploit leverages the `run_as` endpoint to inject malicious payloads, leading to arbitrary code execution on the server.
This exploit leverages a deserialization vulnerability in Wazuh's worker authentication endpoint to execute arbitrary commands via a crafted JSON payload. It requires valid credentials and targets the `/security/user/authenticate/run_as` endpoint.
This Metasploit module exploits an unsafe deserialization vulnerability (CVE-2025-24016) in Wazuh server versions 4.4.0 to 4.9.1. It leverages forged exceptions in JSON-serialized DAPI parameters to achieve remote code execution via the `os.system` call.
Nuclei Templates (1)
title:"Wazuh"
app="Wazuh"
References (2)
Scores
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H