{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-24016", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-01-16T17:31:06.458Z", "datePublished": "2025-02-10T19:08:09.058Z", "dateUpdated": "2025-06-10T22:20:23.477Z"}, "containers": {"cna": {"title": "Remote code execution in Wazuh server", "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh"}], "affected": [{"vendor": "wazuh", "product": "wazuh", "versions": [{"version": ">= 4.4.0, < 4.9.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-10T19:08:09.058Z"}, "descriptions": [{"lang": "en", "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix."}], "source": {"advisory": "GHSA-hcrc-79hj-m3qh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-10T17:15:36.349888Z", "id": "CVE-2025-24016", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2025-06-10", "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-10T22:20:23.477Z"}, "timeline": [{"time": "2025-06-10T00:00:00+00:00", "lang": "en", "value": "CVE-2025-24016 added to CISA KEV"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-24016", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-06-10T17:15:36.349888Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2025-06-10", "reference": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T15:49:19.443Z"}, "timeline": [{"lang": "en", "time": "2025-06-10T00:00:00+00:00", "value": "CVE-2025-24016 added to CISA KEV"}]}], "cna": {"title": "Remote code execution in Wazuh server", "source": {"advisory": "GHSA-hcrc-79hj-m3qh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "wazuh", "product": "wazuh", "versions": [{"status": "affected", "version": ">= 4.4.0, < 4.9.1"}]}], "references": [{"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh", "name": "https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-10T19:08:09.058Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24016", "state": "PUBLISHED", "dateUpdated": "2025-06-10T22:20:23.477Z", "dateReserved": "2025-01-16T17:31:06.458Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-02-10T19:08:09.058Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cisaActionDue": "2025-07-01", "cisaExploitAdd": "2025-06-10", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Wazuh Server Deserialization of Untrusted Data Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*", "matchCriteriaId": "EB8004AB-265E-4432-AC10-8361DCFC1F56", "versionEndExcluding": "4.9.1", "versionStartIncluding": "4.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix."}, {"lang": "es", "value": "Wazuh es una plataforma gratuita y de c\u00f3digo abierto que se utiliza para la prevenci\u00f3n, detecci\u00f3n y respuesta ante amenazas. A partir de la versi\u00f3n 4.4.0 y antes de la versi\u00f3n 4.9.1, una vulnerabilidad de deserializaci\u00f3n insegura permite la ejecuci\u00f3n remota de c\u00f3digo en servidores Wazuh. Los par\u00e1metros de DistributedAPI se serializan como JSON y se deserializan utilizando `as_wazuh_object` (en `framework/wazuh/core/cluster/common.py`). Si un atacante logra inyectar un diccionario no depurado en una solicitud/respuesta DAPI, puede falsificar una excepci\u00f3n no controlada (`__unhandled_exc__`) para evaluar c\u00f3digo Python arbitrario. La vulnerabilidad puede ser activada por cualquier persona con acceso a la API (panel de control comprometido o servidores Wazuh en el cl\u00faster) o, en ciertas configuraciones, incluso por un agente comprometido. La versi\u00f3n 4.9.1 contiene una correcci\u00f3n."}], "id": "CVE-2025-24016", "lastModified": "2025-06-11T21:11:44.863", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-02-10T20:15:42.540", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}