Active Exploitation of Critical RCE Vulnerability in Wazuh

CVE-2025-24016 could allow a remote, authenticated attacker to execute arbitrary Python code on the Wazuh server

Threat ID:: CC-4669
Threat Severity:: Medium
Published:: 13 June 2025 12:23 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

CVE-2025-24016 could allow a remote, authenticated attacker to execute arbitrary Python code on the Wazuh server

Affected platforms

The following platforms are known to be affected:

Wazuh

wazuh-manager

Versions 4.4.0 to 4.9.0

Threat details

Active exploitation of CVE-2025-24016

Security researchers at Akamai have reported that CVE-2025-24016 is under active exploitation to deploy variants of the Mirai botnet. Additionally, multiple proof-of-concept exploits are publicly available.

The NHS England National CSOC assesses further exploitation as highly likely.

Introduction

Wazuh released a security advisory in February 2025 to disclose a critical vulnerability CVE-2025-24016 in the wazuh-manager component of Wazuh. Wazuh is an open-source XDR and SIEM platform. Security researchers have now reported that CVE-2025-24016 is under exploitation in multiple campaigns.

CVE-2025-24016 is "deserialization of untrusted data" vulnerability with a CVSSv3 score of 9.9. If exploited, a remote authenticated attacker with access to the Wazuh API or a compromised Wazuh agent could execute arbitrary Python code on the Wazuh server.

Remediation advice

Affected organisations are strongly encouraged to review GHSA-hcrc-79hj-m3qh and update Wazuh to version 4.9.1 or later.

Organisations are also encouraged to review Akamai's blog post detailing the exploitation campaign and hunt for malicious behaviour and indicators across their estate.

Indicators of compromise

Malicious IPv4 addresses

209.141.34[.]106
176.65.142[.]137
65.222.202[.]53
196.251.86[.]49
176.65.134[.]62
104.168.101[.]27
104.168.101[.]23
79.124.40[.]46
194.195.90[.]179

Malicious domains

nuklearcnc.duckdns[.]org
jimmyudp-raw[.]xyz
pangacnc[.]com
neon.galaxias[.]cc
cbot.galaxias[.]cc
resbot[.]online
versioneonline[.]com
web-app-on[.]com
Assicurati-con-linear[.]online
webdiskwebdisk.webprocediweb[.]com
continueoraweb[.]com
ora-0-web[.]com
adesso-online[.]com
multi-canale[.]com
eversioneweb[.]com
gestisciweb[.]com

SHA256 hashes

dece5eaeb26d0ca7cea015448a809ab687e96c6182e56746da9ae4a2b16edaa9
7b659210c509058bd5649881f18b21b645acb42f56384cbd6dcb8d16e5aa0549
64bd7003f58ac501c7c97f24778a0b8f412481776ab4e6d0e4eb692b08f52b0f
4c1e54067911aeb5aa8d1b747f35fdcdfdf4837cad60331e58a7bbb849ca9eed
811cd6ebeb9e2b7438ad9d7c382db13c1c04b7d520495261093af51797f5d4cc
90df78db1fb5aea6e21c3daca79cc690900ef8a779de61d5b3c0db030f4b4353
8a58fa790fc3054c5a13f1e4e1fcb0e1167dbfb5e889b7c543d3cdd9495e9ad6
c9df0a2f377ffab37ede8f2b12a776a7ae40fa8a6b4724d5c1898e8e865cfea1
6614545eec64c207a6cc981fccae8077eac33a79f286fc9a92582f78e2ae243a
9d5c10c7d0d5e2ce8bb7f1d4526439ce59108b2c631dd9e78df4e096e612837b
be4070b79a2f956e686469b37a8db1e7e090b9061d3dce73e3733db2dbe004f0
e6cf946bd5a17909ae3ed9b1362cfaafa7afe02e74699dcbc3d515a6f964b0b0
4d9f632e977b16466b72b6ee90b6de768c720148c1e337709b57ca49c1cdffb6
a0b47c781e70877ad4e721ba49f64fc0bc469e38750f070a232d12f03d9990bc
941a30698db98f29919cba80e66717c25592697b1447f3e96825730229d97549

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2025-24016

Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.

Last edited: 13 June 2025 12:23 pm