CVE-2026-25769

CRITICAL LAB

Wazuh Cluster vulnerable to Remote Code Execution via Insecure Deserialization

Title source: cna

Exploitation Summary

EIP tracks 5 public exploits for CVE-2026-25769. PoCs published by adminlove520, hakaioffsec, 0xBlackash.

AI-analyzed exploit summary The repository contains only a README.md file with minimal information about CVE-2026-25769, lacking any exploit code or technical details. It describes the vulnerability as an RCE in Wazuh but provides no further analysis or proof-of-concept.

Description

Wazuh is a free and open source platform used for threat prevention, detection, and response. Versions 4.0.0 through 4.14.2 have a Remote Code Execution (RCE) vulnerability due to Deserialization of Untrusted Data). All Wazuh deployments using cluster mode (master/worker architecture) and any organization with a compromised worker node (e.g., through initial access, insider threat, or supply chain attack) are impacted. An attacker who gains access to a worker node (through any means) can achieve full RCE on the master node with root privileges. Version 4.14.3 fixes the issue.

Exploits (5)

github STUB 3 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-25769

View Code ZIP pw:eip

The repository contains only a README.md file with minimal information about CVE-2026-25769, lacking any exploit code or technical details. It describes the vulnerability as an RCE in Wazuh but provides no further analysis or proof-of-concept.

Classification

Stub 90%

Attack Type

Rce

Complexity

Theoretical

Reliability

Theoretical

Target: Wazuh (version unspecified)

No auth needed

Prerequisites: unknown

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 02, 2026 Full analysis →

nomisec WORKING POC 2 stars

by hakaioffsec · poc

https://github.com/hakaioffsec/CVE-2026-25769

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-25769, demonstrating remote code execution via insecure deserialization in Wazuh Cluster. The PoC leverages a crafted payload to execute arbitrary commands on vulnerable Wazuh instances.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Wazuh Cluster < v4.14.1

No auth needed

Prerequisites: Access to a vulnerable Wazuh Cluster instance · Python environment with asyncio support

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 18, 2026 Full analysis →

nomisec WRITEUP

by 0xBlackash · poc

https://github.com/0xBlackash/CVE-2026-25769

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2026-25769, an insecure deserialization vulnerability in Wazuh cluster mode that allows a compromised worker node to achieve root RCE on the master node. It includes attack paths, mitigation steps, detection logic, and risk assessment.

Classification

Writeup 95%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Theoretical

Target: Wazuh (versions 4.0.0 to 4.14.2)

Auth required

Prerequisites: compromised worker node · Wazuh cluster mode enabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Apr 13, 2026 Full analysis →

nomisec SUSPICIOUS

by njeru-codes · poc

https://github.com/njeru-codes/CVE-2026-25769

View Code ZIP pw:eip

The repository lacks exploit code and provides minimal technical details about CVE-2026-25769, focusing instead on vague descriptions of Wazuh and the vulnerability without depth.

Classification

Suspicious 90%

Attack Type

Rce

Complexity

Theoretical

Reliability

Theoretical

Target: Wazuh (version unspecified)

No auth needed

Prerequisites: unknown

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 09, 2026 Full analysis →

nomisec WORKING POC

by Samres27 · poc

https://github.com/Samres27/CVE-2026-25769---CVE-2026-25770

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2026-25769 and CVE-2026-25770, which exploit deserialization and file write vulnerabilities in Wazuh cluster configurations. The PoC includes Docker setup and exploit scripts to demonstrate RCE on the master node via worker communication.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Wazuh Manager ≥ 4.0.0

No auth needed

Prerequisites: Wazuh cluster with master and worker nodes · Network access to the cluster

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 21, 2026 Full analysis →

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/wazuh/wazuh/security/advisories/GHSA-3gm7-962f-fxw5

X_Refsource_Misc x_refsource_misc

https://drive.google.com/drive/folders/1WlkKNmHexz8212OVED9O6M_3pI8b6qNI?usp=sharing

Scores

CVSS v3 9.1

EPSS 0.0046

EPSS Percentile 64.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull wazuh/wazuh-manager:4.9.2

docker pull wazuh/wazuh-manager:4.14.0

https://github.com/hakaioffsec/CVE-2026-25769

https://github.com/Samres27/CVE-2026-25769---CVE-2026-25770

https://github.com/njeru-codes/CVE-2026-25769

+2 more repos

View in Library

Details

CWE

CWE-502

Status published

Products (2)

wazuh/wazuh 4.0.0 - 4.14.3

wazuh/wazuh >= 4.0.0, < 4.14.3

Published Mar 17, 2026

Tracked Since Mar 18, 2026