CVE-2026-25769 | Wazuh | RCE
| Field | Details |
|---|---|
| CVE ID | CVE-2026-25769 |
| Title | Remote Code Execution via Insecure Deserialization in Wazuh Cluster |
| Product | Wazuh |
| Affected Component | Wazuh Cluster (master/worker architecture) |
| Vulnerability Type | Insecure Deserialization |
| CWE | CWE-502 |
| Severity | Critical |
| CVSS v3.1 | 9.1 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| Affected Versions | Wazuh >= 4.0.0 and < 4.14.3 |
| Patched Version | Wazuh 4.14.3 |
| Description | A remote code execution vulnerability exists in Wazuh cluster mode due to unsafe deserialization of untrusted data. The vulnerable as_wazuh_object() function processes attacker-controlled __callable__ values, allowing arbitrary module import and function resolution during cluster message handling. |
| Attack Prerequisites | The attacker must have access to a compromised Wazuh worker node in a clustered deployment. |
| Attack Vector | A malicious worker sends a crafted DAPI or cluster message to the master node. The master deserializes attacker-controlled data and executes the resulting function. |
| Impact | Remote code execution on the Wazuh master node with root privileges, potentially leading to full compromise of the monitoring infrastructure. |
| Exploitation Notes | Public proof-of-concept code is available and demonstrates sending a payload that causes the master to execute arbitrary commands. |
| Mitigation | Upgrade Wazuh to version 4.14.3 or later. Restrict and monitor access to worker nodes in clustered environments. |
| References | Wazuh Advisory PoC Repository CVE Record SentinelOne Entry |