Skip to main content

Wazuh CVE-2026-25770

| EUVDEUVD-2026-12597 CRITICAL
Path Traversal (CWE-22)
2026-03-17 GitHub_M
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:50 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
4.14.3
EUVD ID Assigned
Mar 17, 2026 - 20:30 euvd
EUVD-2026-12597
Analysis Generated
Mar 17, 2026 - 20:30 vuln.today
CVE Published
Mar 17, 2026 - 18:02 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 3.9.0 and prior to version 4.14.3, a privilege escalation vulnerability exists in the Wazuh Manager's cluster synchronization protocol. The wazuh-clusterd service allows authenticated nodes to write arbitrary files to the manager’s file system with the permissions of the wazuh system user. Due to insecure default permissions, the wazuh user has write access to the manager's main configuration file (/var/ossec/etc/ossec.conf). By leveraging the cluster protocol to overwrite ossec.conf, an attacker can inject a malicious <localfile> command block. The wazuh-logcollector service, which runs as root, parses this configuration and executes the injected command. This chain allows an attacker with cluster credentials to gain full Root Remote Code Execution, violating the principle of least privilege and bypassing the intended security model. Version 4.14.3 fixes the issue.

AnalysisAI

Privilege escalation in Wazuh Manager versions 3.9.0 through 4.14.2 allows authenticated cluster nodes to achieve unauthenticated root code execution by exploiting insecure file permissions in the cluster synchronization protocol. An attacker with cluster node access can overwrite the manager's configuration file to inject malicious commands that are subsequently executed with root privileges by the logcollector service. This vulnerability affects multi-node Wazuh deployments and has no available patch.

Technical ContextAI

Wazuh is an open-source security monitoring platform (identified by CPE cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*) that uses a clustered architecture where nodes synchronize data through the wazuh-clusterd service. The vulnerability is classified as CWE-22 (Path Traversal), where the cluster protocol fails to properly validate file paths, allowing authenticated nodes to write to arbitrary locations including the main configuration file at /var/ossec/etc/ossec.conf. The insecure default permissions grant the wazuh user write access to this critical configuration file, which is then parsed by the wazuh-logcollector service running with root privileges, creating a privilege escalation chain.

RemediationAI

Upgrade Wazuh Manager to version 4.14.3 or later, which contains the official fix for this vulnerability as documented in the GitHub advisory at https://github.com/wazuh/wazuh/security/advisories/GHSA-r4f7-v3p6-79jm. As an immediate mitigation before patching, restrict cluster authentication credentials to only trusted systems, implement network segmentation to limit cluster communication to authorized nodes only, and monitor file system changes to /var/ossec/etc/ossec.conf for unauthorized modifications. Organizations should also review and audit existing cluster node authentication to ensure no unauthorized access exists.

More in Wazuh

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2021-44079 CRITICAL POC
9.8 Nov 22

In the wazuh-slack active response script in Wazuh 4.2.x before 4.2.5, untrusted user agents are passed to a curl comman

CVE-2026-25769 CRITICAL POC
9.1 Mar 17

A critical deserialization vulnerability in Wazuh's cluster mode allows attackers with access to any worker node to achi

CVE-2018-19666 HIGH POC
7.8 Nov 29

The agent in OSSEC through 3.1.0 on Windows allows local users to gain NT AUTHORITY\SYSTEM access via Directory Traversa

CVE-2024-1243 HIGH POC
7.2 Jun 11

CVE-2024-1243 is an improper input validation vulnerability in Wazuh agent for Windows (versions prior to 4.8.0) that al

CVE-2021-41821 MEDIUM POC
6.5 Sep 29

Wazuh Manager in Wazuh through 4.1.5 is affected by a remote Integer Underflow vulnerability that might lead to denial o

CVE-2026-56699 CRITICAL
10.0 Jul 15

NDJSON injection in Wazuh Manager before 5.0.0-beta3 lets any enrolled agent smuggle arbitrary OpenSearch bulk operation

CVE-2024-32038 CRITICAL
9.8 Apr 19

Wazuh is a free and open source platform used for threat prevention, detection, and response. Rated critical severity (C

CVE-2026-30893 CRITICAL POC
9.0 Apr 29

Wazuh Manager (4.4.0 through 4.14.3) contains a path traversal vulnerability in the cluster synchronization routine that

CVE-2023-42455 HIGH
8.8 Oct 09

Wazuh is a security detection, visibility, and compliance open source project. Rated high severity (CVSS 8.8), this vuln

CVE-2022-40497 HIGH
8.8 Sep 28

Wazuh v3.6.1 - v3.13.5, v4.0.0 - v4.2.7, and v4.3.0 - v4.3.7 were discovered to contain an authenticated remote code exe

CVE-2021-26814 HIGH
8.8 Mar 06

Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileg

Share

CVE-2026-25770 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy