Opensource security platform: Critical gap in Wazuh allowed code smuggling

There was a critical gap in the Wazuh open source security platform that allowed attackers to inject their own code and take over vulnerable servers. To do this, however, they needed access to the API, i.e. a valid user account. In larger Wazuh networks with more than one server, however, there was an even easier way to compromise the server.

Attack via API or agent

The easiest way to crack the open source SIEM (Security Information and Event Management) was via its API. If the attacker inserted a specially constructed serialized object with Python code, this was executed. This allowed them to shut down the server or take it over completely.

There was also a way to execute code via the Wazuh agent. The agent is a piece of software that establishes a connection from an endpoint (such as an office PC or monitored web server) to the Wazuh server and reports monitoring data such as package versions or security events. In a server network, a hijacked agent was also able to execute code on one of the servers via a cleverly manipulated API call. However, this method of attack did not work on smaller installations with only one server.

Update available since October

The critical vulnerability with the CVE ID CVE-2025-24016 (CVSS 9.9/10) was present in all Wazuh versions from 4.4.0 to 4.9.0 and has been fixed in version 4.9.1. Wazuh 4.10.1 is currently the latest version.

The update was released in October 2024 – but was not marked as security-critical at the time. However, details of the vulnerability only became known a few days ago in February 2025. There is also no mention of the vulnerability in the changelog of the repaired version. Wazuh admins should therefore check whether their servers are up to date.

Wazuh is positioned as an open source alternative to commercial SIEM and EDR (Endpoint Detection and Response) systems and offers functions such as malware detection and vulnerability management.

(cku)