CVE-2025-24016 Scanner

Wazuh is an open-source security monitoring platform used for threat detection, compliance monitoring, and incident response. Its architecture includes a manager that orchestrates agent communication, log processing, and rule execution. The Wazuh server exposes a DistributedAPI (DAPI) that enables remote management through authenticated API requests.

CVE-2025-24016 is a critical vulnerability affecting Wazuh versions 4.4.0 through 4.9.0. The flaw stems from **unsafe deserialization of user-supplied data** in the DAPI. Specifically, serialized parameters are processed using the `as_wazuh_object` function within the `common.py` module. This function fails to adequately validate or restrict the types of deserialized objects, allowing injection of arbitrary Python classes.

An attacker with valid API credentials can exploit this by submitting a maliciously crafted JSON object to the `/security/user/authenticate/run_as` endpoint. For example, a payload like:

{ "__unhandled_exc__": { "__class__": "NotARealClass", "__args__": [] } }

will attempt to instantiate a class during deserialization. If an exploitable object chain is available in memory or if dynamic evaluation is used, this could result in full remote code execution (RCE) under the privileges of the `wazuh-manager` process.

Detection of the flaw can be confirmed by a `500 Internal Server Error` response and `NameError` in the response body, indicating the application attempted to load a non-existent class — a key sign of insecure deserialization.

REFERENCES

• https://github.com/MuhammadWaseem29/CVE-2025-24016
• https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh
• https://nvd.nist.gov/vuln/detail/CVE-2025-24016