Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-25770— Wazuh has Privilege Escalation to Root via Cluster Protocol File Write

CVSS 9.1 · Critical EPSS 0.07% · P21
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-25770

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Wazuh has Privilege Escalation to Root via Cluster Protocol File Write
Source: NVD (National Vulnerability Database)
Vulnerability Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 3.9.0 and prior to version 4.14.3, a privilege escalation vulnerability exists in the Wazuh Manager's cluster synchronization protocol. The `wazuh-clusterd` service allows authenticated nodes to write arbitrary files to the manager’s file system with the permissions of the `wazuh` system user. Due to insecure default permissions, the `wazuh` user has write access to the manager's main configuration file (`/var/ossec/etc/ossec.conf`). By leveraging the cluster protocol to overwrite `ossec.conf`, an attacker can inject a malicious `<localfile>` command block. The `wazuh-logcollector` service, which runs as root, parses this configuration and executes the injected command. This chain allows an attacker with cluster credentials to gain full Root Remote Code Execution, violating the principle of least privilege and bypassing the intended security model. Version 4.14.3 fixes the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Wazuh 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Wazuh是Wazuh开源的一个应用软件。用于收集,汇总,索引和分析安全数据,帮助组织检测入侵,威胁和行为异常。 Wazuh 3.9.0至4.14.3之前版本存在安全漏洞,该漏洞源于集群同步协议存在权限提升问题,可能导致攻击者获得完整的Root远程代码执行权限。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

VendorProductAffected VersionsCPESubscribe
wazuhwazuh >= 3.9.0, < 4.14.3 -

II. Public POCs for CVE-2026-25770

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-25770

登录查看更多情报信息。

Same Patch Batch · wazuh · 2026-03-17 · 5 CVEs total

CVE-2026-257699.1 CRITICALWazuh Cluster vulnerable to Remote Code Execution via Insecure Deserialization
CVE-2026-257715.3 MEDIUMWazuh Vulnerable to Denial of Service via Synchronous I/O Blocking in Asynchronous Authent
CVE-2026-257724.9 MEDIUMWazuh Database Synchronization Vulnerable to Stack-based Buffer Overflow via snprintf Inte
CVE-2026-257904.9 MEDIUMWazuh has Stack-Based Buffer Overflow in Security Configuration Assessment JSON Parser

IV. Related Vulnerabilities

Same product: wazuh
Same vendor: wazuh
Same weakness: CWE-22

V. Comments for CVE-2026-25770

No comments yet

Leave a comment