Initiativen für
Als nationale Behörde für Cybersicherheit hat das ZCB mehrere Initiativen für bestimmte Zielgruppen entwickelt, die hier vorgestellt werden.
WARNING: CRITICAL REMOTE CODE EXECUTION VULNERABILITY IN WAZUH, PATCH IMMEDIATELY!
Image
Veröffentlicht : 11/02/2025
Reference:
Advisory #2025-28
Version:
1.0
Affected software:
Wazuh, affected versions >= 4.4.0, 4.9.1
Type:
CWE-502: Deserialization of Untrusted Data
CVE/CVSS:
CVE-2025-24016: CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H)
Sources
NVD - https://nvd.nist.gov/vuln/detail/CVE-2025-24016
Risks
A critical remote code execution (RCE) vulnerability has been disclosed in Wazuh before 4.9.1, an open-source unified XDR and SIEM platform, with a severity score of 9.9 out of 10.
The Wazuh server is a central component of an organization's infrastructure, making it a high-value target. This vulnerability allows attackers to execute arbitrary code on the server, which can be triggered through API access or by compromising one of the Wazuh agents. The impact of this vulnerability is significant, with high risks to both the integrity and availability of the server.
Description
CVE-2025-24016, CVSS 9.9
An unsafe deserialization vulnerability in Wazuh servers allows remote code execution through unsanitized dictionary injection in DAPI requests/responses. This issue arises from the way DistributedAPI parameters are serialized as JSON and then deserialized using the as_wazuh_object function in framework/wazuh/core/cluster/common.py.
If an attacker injects an unsanitized dictionary into a DAPI request or response, they can craft an unhandled exception (__unhandled_exc__), allowing arbitrary Python code execution.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing. The vulnerability is patched in versions 4.9.1 and later.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
Github Advisory - https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh