What is the CVSS score of CVE-2026-25770?

CVE-2026-25770 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Wazuh are affected by CVE-2026-25770?

CVE-2026-25770 is a critical privilege escalation vulnerability in Wazuh Manager (versions 3.9.0-4.14.2) that allows authenticated cluster nodes to execute arbitrary commands as root through insecure…. A patch is available.

Wazuh CVE-2026-25770

EUVD-2026-12597 CRITICAL

Path Traversal (CWE-22)

2026-03-17 GitHub_M

Privilege Escalation RCE Path Traversal Wazuh

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 05:50 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

4.14.3

EUVD ID Assigned

Mar 17, 2026 - 20:30 euvd

EUVD-2026-12597

Analysis Generated

Mar 17, 2026 - 20:30 vuln.today

CVE Published

Mar 17, 2026 - 18:02 nvd

CRITICAL 9.1

DescriptionNVD

Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 3.9.0 and prior to version 4.14.3, a privilege escalation vulnerability exists in the Wazuh Manager's cluster synchronization protocol. The wazuh-clusterd service allows authenticated nodes to write arbitrary files to the manager’s file system with the permissions of the wazuh system user. Due to insecure default permissions, the wazuh user has write access to the manager's main configuration file (/var/ossec/etc/ossec.conf). By leveraging the cluster protocol to overwrite ossec.conf, an attacker can inject a malicious <localfile> command block. The wazuh-logcollector service, which runs as root, parses this configuration and executes the injected command. This chain allows an attacker with cluster credentials to gain full Root Remote Code Execution, violating the principle of least privilege and bypassing the intended security model. Version 4.14.3 fixes the issue.

AnalysisAI

Privilege escalation in Wazuh Manager versions 3.9.0 through 4.14.2 allows authenticated cluster nodes to achieve unauthenticated root code execution by exploiting insecure file permissions in the cluster synchronization protocol. An attacker with cluster node access can overwrite the manager's configuration file to inject malicious commands that are subsequently executed with root privileges by the logcollector service. …

RemediationAI

24 hours: Identify all Wazuh Manager instances in your environment and document versions in use; restrict cluster node network access to trusted IPs only via firewall rules. 7 days: Apply vendor patch to all affected Wazuh Manager instances (upgrade to version 4.14.3 or later per vendor advisory); validate patch deployment across all cluster nodes. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-25770 vulnerability details – vuln.today

Back

Wazuh CVE-2026-25770

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code