Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-24016 PoC — Remote code execution in Wazuh server

Source
https://github.com/rxerium/CVE-2025-24016
Associated Vulnerability
Title:Remote code execution in Wazuh server (CVE-2025-24016)
Description:Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.
Description
Detection for CVE-2025-24016 - Deserialization of Untrusted Data Vulnerability in the Wazuh software
Readme
# CVE-2025-24016

 ## How does this detection method work?

This Nuclei HTTP template checks a target URL (and its /app/login page) for the Wazuh web interface, extracts the wazuhVersion value with a regex, and confirms the page is accessible (200 status) and actually a Wazuh UI (via title and keyword match). If the extracted version sits between 4.4.0 and 4.9.0 (the vulnerable range for CVE-2025-24016), Nuclei reports a critical finding, signalling that unsafe deserialisation could allow remote code execution.

 ## How do I run this script?

1. Download Nuclei from [here](https://github.com/projectdiscovery/nuclei)
2. Copy the template to your local system
3. Run the following command: `nuclei -u https://yourHost.com -t template.yaml` 

## References

- https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cve.org/CVERecord?id=CVE-2025-24016

## Disclaimer

Use at your own risk, I will not be responsible for illegal activities you conduct on infrastructure you do not own or have permission to scan.

## Contact

Feel free to reach out to me on [Signal](https://signal.me/#eu/0Qd68U1ivXNdWCF4hf70UYFo7tB0w-GQqFpYcyV6-yr4exn2SclB6bFeP7wTAxQw).
File Snapshot

 [4.0K]  /data/pocs/5df95dc000bfa36fd5f3c1ebe6df575a8d6634a8
├── [1.6K]  CVE-2025-24016.yaml
└── [1.2K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →