Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 3.9.0 and prior to version 4.14.3, a privilege escalation vulnerability exists in the Wazuh Manager's cluster synchronization protocol. The wazuh-clusterd service allows authenticated nodes to write arbitrary files to the manager’s file system with the permissions of the wazuh system user. Due to insecure default permissions, the wazuh user has write access to the manager's main configuration file (/var/ossec/etc/ossec.conf). By leveraging the cluster protocol to overwrite ossec.conf, an attacker can inject a malicious <localfile> command block. The wazuh-logcollector service, which runs as root, parses this configuration and executes the injected command. This chain allows an attacker with cluster credentials to gain full Root Remote Code Execution, violating the principle of least privilege and bypassing the intended security model. Version 4.14.3 fixes the issue.
AnalysisAI
Privilege escalation in Wazuh Manager versions 3.9.0 through 4.14.2 allows authenticated cluster nodes to achieve unauthenticated root code execution by exploiting insecure file permissions in the cluster synchronization protocol. An attacker with cluster node access can overwrite the manager's configuration file to inject malicious commands that are subsequently executed with root privileges by the logcollector service. This vulnerability affects multi-node Wazuh deployments and has no available patch.
Technical ContextAI
Wazuh is an open-source security monitoring platform (identified by CPE cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*) that uses a clustered architecture where nodes synchronize data through the wazuh-clusterd service. The vulnerability is classified as CWE-22 (Path Traversal), where the cluster protocol fails to properly validate file paths, allowing authenticated nodes to write to arbitrary locations including the main configuration file at /var/ossec/etc/ossec.conf. The insecure default permissions grant the wazuh user write access to this critical configuration file, which is then parsed by the wazuh-logcollector service running with root privileges, creating a privilege escalation chain.
RemediationAI
Upgrade Wazuh Manager to version 4.14.3 or later, which contains the official fix for this vulnerability as documented in the GitHub advisory at https://github.com/wazuh/wazuh/security/advisories/GHSA-r4f7-v3p6-79jm. As an immediate mitigation before patching, restrict cluster authentication credentials to only trusted systems, implement network segmentation to limit cluster communication to authorized nodes only, and monitor file system changes to /var/ossec/etc/ossec.conf for unauthorized modifications. Organizations should also review and audit existing cluster node authentication to ensure no unauthorized access exists.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
In the wazuh-slack active response script in Wazuh 4.2.x before 4.2.5, untrusted user agents are passed to a curl comman
A critical deserialization vulnerability in Wazuh's cluster mode allows attackers with access to any worker node to achi
The agent in OSSEC through 3.1.0 on Windows allows local users to gain NT AUTHORITY\SYSTEM access via Directory Traversa
CVE-2024-1243 is an improper input validation vulnerability in Wazuh agent for Windows (versions prior to 4.8.0) that al
Wazuh Manager in Wazuh through 4.1.5 is affected by a remote Integer Underflow vulnerability that might lead to denial o
NDJSON injection in Wazuh Manager before 5.0.0-beta3 lets any enrolled agent smuggle arbitrary OpenSearch bulk operation
Wazuh is a free and open source platform used for threat prevention, detection, and response. Rated critical severity (C
Wazuh Manager (4.4.0 through 4.14.3) contains a path traversal vulnerability in the cluster synchronization routine that
Wazuh is a security detection, visibility, and compliance open source project. Rated high severity (CVSS 8.8), this vuln
Wazuh v3.6.1 - v3.13.5, v4.0.0 - v4.2.7, and v4.3.0 - v4.3.7 were discovered to contain an authenticated remote code exe
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileg
Same weakness CWE-22 – Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12597