How to fix CVE-2025-24016?

Within 24 hours: Inventory all Wazuh server deployments and identify instances running versions 4.4.0-4.9.0; restrict network access to Wazuh API endpoints to trusted networks only; enforce multi-factor authentication for administrative access. Within 7 days: Isolate affected Wazuh servers from production monitoring if possible; monitor for unauthorized agent communications and Python subprocess execution logs; contact Wazuh support for patch timeline and interim guidance. Within 30 days: Upgrade to Wazuh version 4.10.0 or later once released and validated; apply compensating controls including API rate limiting, agent authentication hardening, and enhanced logging for DistributedAPI parameter handling.

Is Python affected by CVE-2025-24016?

Wazuh server versions 4.4.0 through 4.9.0 are vulnerable to critical remote code execution attacks that are confirmed actively exploited in the wild (CISA KEV).

CVE-2025-24016

CRITICAL

2025-02-10

9.9

CVSS

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 27, 2026 - 20:38 vuln.today

CVE Published

Feb 10, 2025 - 20:15 nvd

CRITICAL 9.9

Added to CISA KEV

Feb 10, 2025 - 20:15 cisa

CISA KEV

Description

Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. DistributedAPI parameters are serialized as JSON and deserialized using as_wazuh_object. If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can forge an unhandled exception to evaluate arbitrary python code. The vulnerability can be triggered by anybody with API access or even by a compromised agent. Version 4.9.1 contains a fix.

Analysis

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI that allows remote code execution on Wazuh management servers.

Technical Context

The CWE-502 deserialization flaw in the as_wazuh_object function processes serialized JSON parameters without proper validation. An attacker who can reach the DistributedAPI can craft payloads that deserialize into objects enabling code execution.

Affected Products

['Wazuh 4.4.0 through 4.9.0']

Remediation

Update to Wazuh 4.9.1+. Restrict API access to authorized management clients. Monitor for unusual API calls and process execution on Wazuh servers.

Priority Score

100

Low Medium High Critical

KEV: +50

EPSS: +93.9

CVSS: +50

POC: 0

Vendor Status

CVE-2025-24016 vulnerability details – vuln.today

Back

CVE-2025-24016

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-24016

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code