CVE-2025-24016 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-02-10

Added to CISA KEV: 2025-06-10 120 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately update to Wazuh version 4.9.1 or later
Audit API access logs for suspicious requests or unusual deserialization activity
Implement network segmentation to limit API exposure and monitor API endpoints
Review and restrict API access privileges following principle of least privilege
Deploy additional monitoring for unusual Python process execution on Wazuh servers

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-24016 is a critical remote code execution (RCE) vulnerability affecting the Wazuh open-source security platform ^[2] ^[3].

Vulnerability Overview

Nature of Flaw: The vulnerability stems from unsafe deserialization of JSON objects within the DistributedAPI (DAPI) component of the Wazuh manager ^[1] ^[3].
Impact: Successful exploitation allows an attacker to execute arbitrary Python code on the underlying Wazuh server, potentially compromising the entire security framework ^[3] ^[4].

Exploitation and Threat Actor Usage

Active Exploitation: The vulnerability is known to be actively exploited in the wild ^[1] ^[4].
Threat Actors: It has been utilized by botnet operators, specifically for the deployment of Mirai botnets ^[1] ^[5].
Ransomware: While actively exploited, there is no evidence or confirmation from CISA that this vulnerability has been used in ransomware campaigns ^[3].
Proof-of-Concept: Multiple proof-of-concept (PoC) exploits are publicly available, including repositories on GitHub ^[4] ^[6].

Attack Requirements

Access Level: Exploitation requires the attacker to have API access. This can be achieved through a compromised dashboard, an internal server, or a compromised Wazuh agent ^[1] ^[5].
Method: Attackers inject an unsanitized dictionary into DistributedAPI (DAPI) requests to trigger the unsafe deserialization ^[1].

Affected Versions and Mitigation

Affected Versions: Wazuh versions 4.4.0 through 4.9.0 are vulnerable ^[2] ^[5].
Patch Status: The vulnerability was addressed in version 4.9.1 ^[2] ^[5]. Users are strongly urged to upgrade to this version or later to mitigate the risk ^[5].
Guidance: The vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, and organizations are advised to follow the associated guidance ^[2] ^[1].

Sources

Wazuh RCE Vulnerability Exploited to Deploy Mirai Botnets [CVE ...
The flaw stems from unsafe deserialization of JSON objects within the DistributedAPI (DAPI), specifically in the az_wazuh_object function. ... June 12 Advisory: Wazuh RCE Vulnerability Exploited to Deploy Mirai Botnets [CVE-2025-24016] ... Any threat actor with API access (including a compromised da…
CVE-2025-24016 Detail - NVD
An unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON. ... CVE-2025-24016 Detail. Description. Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4…
securityvulnerability.io/vulnerability/CVE-2025-24016
CVE-2025-24016 is a remote code execution vulnerability identified in the Wazuh platform, which is an open-source solution designed for threat detection, prevention, and response. ... CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-24016 as being exploited but is not kno…
Active Exploitation of Critical RCE Vulnerability in Wazuh - NHS Digital
CVE-2025-24016 could allow a remote, authenticated attacker to execute arbitrary Python code on the Wazuh server. CVE-2025-24016 is under ... CVE-2025-24016 is under active exploitation to deploy botnets and multiple proof-of-concept exploits are publicly available.CVE-2025-24016 is "deserialization…
CVE-2025-24016 - Exploits & Severity - Feedly
CVE-2025-24016 is a critical vulnerability in Wazuh versions 4.4.0 to 4.9.0, allowing for remote code execution through unsafe deserialization of ... Threat Intelligence Report. CVE-2025-24016 is a critical vulnerability in Wazuh versions 4.4.0 to 4.9.0, allowing for remote code execution through un…
Wazuh Remote Code Execution (RCE) - PoC - GitHub
This repository demonstrates the remote code execution (RCE) vulnerability in the Wazuh server, introduced by an unsafe deserialization in the wazuh-manager ...

🔴 CVE-2025-24016