AI description
CVE-2025-24016 is a critical remote code execution (RCE) vulnerability found in the Wazuh security platform, versions 4.4.0 through 4.9.0. It allows attackers to execute arbitrary code on affected Wazuh servers. The vulnerability arises from unsafe deserialization of DistributedAPI (DAPI) parameters. These parameters are serialized as JSON and then deserialized using the `as_wazuh_object` function. Attackers can exploit this by injecting a malicious, unsanitized dictionary into a DAPI request or response, leading to the execution of arbitrary Python code. This vulnerability can be exploited by anyone with API access, potentially including compromised dashboards, other Wazuh servers within a cluster, or even compromised agents, depending on the configuration. Wazuh has addressed this vulnerability in version 4.9.1. Users are strongly encouraged to update to this version to mitigate the risk of exploitation.
- Description
- Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
CVSS 3.1
- Type
- Secondary
- Base score
- 9.9
- Impact score
- 6
- Exploitability score
- 3.1
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
- Severity
- CRITICAL
Data from CISA
- Vulnerability name
- Wazuh Server Deserialization of Untrusted Data Vulnerability
- Exploit added on
- Jun 10, 2025
- Exploit action due
- Jul 1, 2025
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- security-advisories@github.com
- CWE-502
- Hype score
- Not currently trending
Originally from: Wazuh: Addressing the CVE-2025-24016 vulnerability https://t.co/chVsa5BBnR ( :-{ı▓ #wazuh #siem #cyberresearch https://t.co/uR8r7xRC6b
@Cyb3rR3s34rch
12 Jul 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Exploitaiton of Wazuh CVE-2025-24016 vulnerability leads to Mirai botnet distribution https://t.co/vXrJgT98Dr https://t.co/0N9GEJczOL
@IdentityJason
17 Jun 2025
19 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Zwei Botnetze nutzen dieselbe Schwachstelle: Akamai warnt vor aktiver Ausnutzung von CVE-2025-24016 https://t.co/8gxZEEv25I
@KolaricDav5471
17 Jun 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Remote Code Execution Vulnerability Discovered in Wazuh Cybersecurity Platform A critical remote code execution (RCE) vulnerability, identified as CVE-2025-24016, has been discovered in Wazuh, an open-source cybersecurity platform widely used for threat detection, incident https
@PPHM_HackerNews
16 Jun 2025
51 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Mirai botnets exploit critical Wazuh flaw (CVE-2025-24016) to spread chaos! Patch to 4.9.1 now to stop Resbot & others. #Cybersecurity #Botnet https://t.co/ZAz22QU8uO
@xcybersecnews
16 Jun 2025
30 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Kerentanan keamanan kritis pada Wazuh Server, CVE-2025-24016, sedang dieksploitasi oleh aktor ancaman untuk menyebarkan varian botnet Mirai yang digunakan dalam serangan DDoS, berpotensi mempengaruhi keamanan siber Indonesia. >>> https://t.co/Hk4GRdrptW
@DoyanBocor
15 Jun 2025
142 Impressions
0 Retweets
2 Likes
0 Bookmarks
1 Reply
0 Quotes
Akamai SIRT identified an active exploitation of the remotely exploitable unsafe deserialization vulnerability CVE-2025-24016 against Wazuh servers. Learn more: https://t.co/t5LT1fBRpo https://t.co/nCvsSSaMPA
@Akamai
13 Jun 2025
622 Impressions
3 Retweets
4 Likes
1 Bookmark
2 Replies
0 Quotes
🚨CVE-2025-24016, una #vulnerabilidad crítica de ejecución remota de código que afecta a los servidores #Wazuh, ha sido explotada por las #botnets Mirai. 🤖‼️ https://t.co/yPayXV5x9n
@M4nticonsuling
12 Jun 2025
38 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
0 Quotes
Latest Known Exploited Vulnerabilities (#KEV) : #CVE-2025-24016 #Wazuh Server Deserialization of Untrusted Data Vulnerability https://t.co/bx7kPDCgqj
@ScyScan
12 Jun 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Exploitaiton of Wazuh CVE-2025-24016 vulnerability leads to Mirai botnet distribution https://t.co/be1EjW7Zg8 https://t.co/XI8PaFx4V2
@CloudVirtues
12 Jun 2025
45 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Exploitaiton of Wazuh CVE-2025-24016 vulnerability leads to Mirai botnet distribution https://t.co/WEo3y0k1Ml https://t.co/8mj2Ry4GOB
@scandaletti
12 Jun 2025
32 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
.@Akamai SIRT identified an active exploitation of the remotely exploitable unsafe deserialization vulnerability CVE-2025-24016 against Wazuh servers. Learn more. #AkamaiSecurity https://t.co/Tudg1AS4yA https://t.co/A7SH3rYmd6
@AngeloAkamai
12 Jun 2025
42 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🔴 Wazuh, Remote Code Execution via Unsafe Deserialization, #CVE-2025-24016 (Critical) https://t.co/KA6sQ3Nopt
@dailycve
12 Jun 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
📢 CVE-2025-24016 – Vulnerabilitate critică (CVSS 9.9) în Wazuh Server, exploatată activ prin RCE și folosită în botnet-uri Mirai. 🔐 Este recomandat update imediat și restricționare acces API. 🔗 Detalii: https://t.co/8u9If6blY7 #DNSC #CyberAlert https://t.co/
@DNSC_RO
12 Jun 2025
30 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
Exploitaiton of Wazuh CVE-2025-24016 vulnerability leads to Mirai botnet distribution https://t.co/QRIcHpF0mo https://t.co/fTHkWANiox
@SirajD_Official
12 Jun 2025
23 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
.@Akamai SIRT identified an active exploitation of the remotely exploitable unsafe deserialization vulnerability CVE-2025-24016 against Wazuh servers. Learn more. #AkamaiSecurity https://t.co/EEzszRlFTE https://t.co/lcqTBLD2FR
@RaghuNain
11 Jun 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#DOYOUKNOWCVE CISA has added four new high-impact vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog — signaling active exploitation in the wild and urgent patching needs for defenders. 1. CVE-2025-24016 – Wazuh Servers (RCE via Unsafe Deserialization
@Loginsoft_Inc
11 Jun 2025
42 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
#DOYOUKNOWCVE CISA has added four new high-impact vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog — signaling active exploitation in the wild and urgent patching needs for defenders. 1. CVE-2025-24016 – Wazuh Servers (RCE via Unsafe Deserialization) 2
@Loginsoft_Inc
11 Jun 2025
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Threat Campaign: Wazuh RCE Vulnerability (CVE-2025-24016) Exploited by Mirai Variants in IoT Botnet Campaigns🚨 Summary: Mirai variants are actively exploiting the critical remote code execution (RCE) vulnerability CVE-2025-24016 in Wazuh servers, enabling remote code htt
@CyberxtronTech
11 Jun 2025
72 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Threat Campaign: Wazuh RCE Vulnerability (CVE-2025-24016) Exploited by Mirai Variants in IoT Botnet Campaigns🚨 Summary: Mirai variants are actively exploiting the critical remote code execution (RCE) vulnerability CVE-2025-24016 in Wazuh servers, enabling remote code htt
@CyberxtronTech
11 Jun 2025
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
.@Akamai SIRT identified an active exploitation of the remotely exploitable unsafe deserialization vulnerability CVE-2025-24016 against Wazuh servers. Learn more. #AkamaiSecurity https://t.co/gXs7XL8xpX https://t.co/RfFVKkPulC
@Jrenou
11 Jun 2025
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🛡️ We added Wazuh server & Web Distributed Authoring and Versioning vulnerabilities CVE-2025-24016 & CVE-2025-33053 to our Known Exploited Vulnerabilities Catalog. Visit https://t.co/myxOwap1Tf & apply mitigations to protect your org from cyberattacks. #Cybersecu
@CISACyber
10 Jun 2025
8572 Impressions
29 Retweets
64 Likes
10 Bookmarks
0 Replies
1 Quote
🚨 CVE-2025-24016 🚨 CRITICAL RCE in @Wazuh (<4.9.1) via unsafe deserialization in DistributedAPI (CVSS 9.9). Upgrade to 4.9.1 NOW! Read out annotated CVE report at: https://t.co/JfaICxG7BO #infosec #Wazuh #CyberSecurity https://t.co/OkOZDlZCYc
@BaseFortify
10 Jun 2025
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Unpatched #Wazuh servers targeted by #Mirai #botnets (CVE-2025-24016) https://t.co/D0M9YBwip8
@ScyScan
10 Jun 2025
40 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Unpatched Wazuh servers targeted by Mirai botnets (CVE-2025-24016) https://t.co/9iYvMEFVfD #HelpNetSecurity #Cybersecurity https://t.co/kFICNyivy7
@PoseidonTPA
10 Jun 2025
24 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Two Botnets, One Flaw: Mirai Spreads Through Wazuh Vulnerability active exploitation of the critical remote code execution (RCE) vulnerability CVE-2025-24016 against Wazuh servers (CVSS 9.9). https://t.co/epYgzmk1mm
@ngnicky
9 Jun 2025
37 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
Se han identificado una Vulnerabilidad Crítica en Wazuh (CVE-2025-24016) Explotada por Botnets Mirai Más Información: https://t.co/dcUJuSJI1k https://t.co/A8ajd1zSnp
@CSIRT_Telconet
9 Jun 2025
39 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical vulnerability CVE-2025-24016 in Wazuh Server is being exploited to deploy Mirai variants like LZRD and neon for DDoS attacks worldwide 🌐 IoT devices and servers remain at risk. Stay vigilant! #Mirai #IoT #USA https://t.co/d0V8RA3Vzv
@TweetThreatNews
9 Jun 2025
15 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-24016: Two Botnets Hijack Wazuh Servers in Latest Mirai Malware Wave #CVE202524016 #MiraiBotnet #WazuhVulnerability #DDoSAttack #CyberSecurity #IoTSecurity #BotnetThreat #Infosec #LinuxMalware #PatchNow https://t.co/f8llDMAbCw
@cyashadotcom
9 Jun 2025
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
📌 تم استغلال ثغرة أمان حرجة في خادم Wazuh من قبل مجرمي الإنترنت لإطلاق نوعين مختلفين من شبكات بوتنت Mirai، مما أدى إلى تنفيذ هجمات DDoS. اكتشفت أكامي هذه الحملة
@Cybercachear
9 Jun 2025
30 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A critical flaw in Wazuh Server (CVE-2025-24016) is being actively exploited to drop multiple Mirai botnet variants—sparking massive DDoS attacks worldwide. Millions of IoT devices remain vulnerable, fueling relentless botnet growth and escalating g... https://t.co/yKZlZ8JM1f
@IT_news_for_all
9 Jun 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A critical flaw in Wazuh Server (CVE-2025-24016) is being actively exploited to drop multiple Mirai botnet variants—sparking massive DDoS attacks worldwide. Millions of IoT devices remain vulnerable, fueling relentless botnet growth and escalating global cyber threats. Detail
@TheHackersNews
9 Jun 2025
2706 Impressions
10 Retweets
16 Likes
3 Bookmarks
0 Replies
1 Quote
CVE-2025-24016: Unsafe Deserialization Vulnerability in Wazuh Leading to Remote Code Execution #WazuhCVE #RCEvulnerability #UnsafeDeserialization #RemoteCodeExecution #PatchAnalysis https://t.co/Qdc0h7k2CW
@reverseame
20 Apr 2025
2360 Impressions
9 Retweets
16 Likes
18 Bookmarks
0 Replies
1 Quote
#Vulnerability #CVE202524016 CVE-2025-24016 (CVSS 9.9): Critical RCE Vulnerability Discovered in Wazuh Server https://t.co/z1AZdFOZWB https://t.co/dFqo3bRpAx
@Komodosec
6 Apr 2025
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-24016: Unsafe Deserialization Vulnerability in Wazuh Leading to Remote Code Execution https://t.co/defmjDZfGk
@Dinosn
17 Mar 2025
4464 Impressions
24 Retweets
72 Likes
21 Bookmarks
1 Reply
0 Quotes
CVE-2025-24016: Unsafe Deserialization Vulnerability in Wazuh Leading to Remote Code Execution https://t.co/Fux4diBy3k https://t.co/BMI6m2nLcO
@secharvesterx
17 Mar 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-24016: Unsafe Deserialization Vulnerability in Wazuh Leading to Remote Code Execution https://t.co/hEfc3L7CKS
@_r_netsec
17 Mar 2025
752 Impressions
1 Retweet
3 Likes
3 Bookmarks
0 Replies
0 Quotes
⚠️Explotación de CVE-2025-24016 relacionada con Wazuh ❗️CVE-2025-24016 ➡️Más info: https://t.co/4EXkPd9CNB https://t.co/DBZiwfawuM
@CERTpy
11 Mar 2025
132 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
csirt_it: ‼️ Rilevato lo sfruttamento attivo in rete della vulnerabilità CVE-2025-24016 presente in #Wazuh Server Rischio: 🔴 Tipologia: 🔸Denial of Service 🔸Remote Code Execution 🔗 https://t.co/Iob9Iz8zsi ⚠ Importante aggiornare i software intere… https://t.co/5VNhVQr8GK
@Vulcanux_
10 Mar 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
‼️ Rilevato lo sfruttamento attivo in rete della vulnerabilità CVE-2025-24016 presente in #Wazuh Server Rischio: 🔴 Tipologia: 🔸Denial of Service 🔸Remote Code Execution 🔗 https://t.co/dfnXF91n8v ⚠ Importante aggiornare i software interessati https://t.co/Mnll3jw8se
@csirt_it
10 Mar 2025
44 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-24016 - Ejecución Remota de Código en Wazuh mediante Deserialización Insegura 🚨 Se ha identificado una vulnerabilidad crítica en Wazuh (v4.4.0 a v4.9.0) debido a una deserialización insegura en la DistributedAPI (DAPI). https://t.co/diblq3nTRW
@BanCERT_gt
28 Feb 2025
31 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-24016: Wazuh Unsafe Deserialization Remote Code Execution (RCE) https://t.co/ocrHtiQVEb
@momika233
23 Feb 2025
4059 Impressions
36 Retweets
117 Likes
54 Bookmarks
0 Replies
0 Quotes
🚨 🔥 CVE-2025-24016: Exploit en Wazuh Permite RCE vía Deserialización Insegura https://t.co/ZmxpjQ3qZI
@tpx_Security
22 Feb 2025
126 Impressions
2 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
[1day1line] CVE-2025-24016: RCE Vulnerability due to Insecure Deserialization in Wazuh Manager https://t.co/6rgGe3pxgy Hello, this is empty. Today's 1day1line is CVE-2025-24016, an RCE vulnerability caused by insecure deserialization in Wazuh, an open source SIEM. The… https://
@hackyboiz
22 Feb 2025
703 Impressions
10 Retweets
11 Likes
6 Bookmarks
0 Replies
0 Quotes
Alhamdulillah, I’ve released a PoC for CVE-2025-24016 RCE in Wazuh server! Severity: 10 My GitHub PoC: https://t.co/G6Nl7aP3v0 Here is the reference: https://t.co/G6Nl7aP3v0 #CVE #RCE #BugBounty #CyberSecurity #Wazuh #InfoSec #Vulnerability #Exploit #SecurityResearch https://t.
@wgujjer11
21 Feb 2025
1608 Impressions
10 Retweets
63 Likes
29 Bookmarks
1 Reply
1 Quote
Wazuh — Unsafe Deserialization RCE (CVE-2025-24016) An unsafe deserialization vulnerability in Wazuh servers allows remote code execution through unsanitized dictionary injection in DAPI requests/responses 🔗 Source: https://t.co/7BCC8IJnsq #wazuh #deserialization #rce #cve h
@HackingTeam777
18 Feb 2025
4265 Impressions
43 Retweets
101 Likes
41 Bookmarks
0 Replies
0 Quotes
🛡️¿Tu empresa usa WAZUH? Podrían APAGAR tus servidores en segundos Si tu empresa usa Wazuh para monitoreo y seguridad, podría estar en riesgo en este momento. Una nueva vulnerabilidad crítica (CVE-2025-24016, CVSS 9.9) permite que un atacante: 1. Tome control total del… http
@CycuraMX
14 Feb 2025
151 Impressions
0 Retweets
3 Likes
1 Bookmark
0 Replies
0 Quotes
CVE-2025-24016 Wazuh Unsafe Deserialization RCE Detection. Nuclei template to detect the unsafe deserialization vulnerability in Wazuh servers, identified as CVE-2025-24016 https://t.co/avLMulTGdd
@cyber_advising
13 Feb 2025
916 Impressions
1 Retweet
18 Likes
8 Bookmarks
0 Replies
0 Quotes
CVE-2025-24016 Wazuh Unsafe Deserialization RCE Nuclei Template https://t.co/9nP75olF39
@1337stif
13 Feb 2025
508 Impressions
2 Retweets
13 Likes
4 Bookmarks
0 Replies
0 Quotes
⚠️⚠️ CVE-2025-24016 (CVSS 9.9): Critical RCE Vulnerability Discovered in Wazuh Server 🎯28k+ Results are found on the https://t.co/pb16tGYaKe nearly year. 🔥PoC: https://t.co/vdyBHOF1w1 🔗FOFA Link:https://t.co/oYwstlQGfB FOFA Query:app="Wazuh"… https://t.co/xVgAfQRpBW
@fofabot
13 Feb 2025
991 Impressions
5 Retweets
12 Likes
4 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "EB8004AB-265E-4432-AC10-8361DCFC1F56",
"versionEndExcluding": "4.9.1",
"versionStartIncluding": "4.4.0"
}
],
"operator": "OR"
}
]
}
]