HTTP: Wazuh Wazuh as_wazuh_object Insecure Deserialization
This signature detects attempts to exploit a known vulnerability against Wazuh as_wazuh_object. A successful attack can lead to arbitrary code execution.
Extended Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are a serialized as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`). If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. Version 4.9.1 contains a fix.
Affected Products
Wazuh wazuh
References
CVE: CVE-2025-24016
URL: https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh
Short Name
HTTP:CTS:WAZUH-INSCR-DES
Severity
Major
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
CVE-2025-24016 Deserialization Insecure Wazuh as_wazuh_object
Release Date
03/26/2025
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3816
False Positive
Unknown
Vendors
Wazuh