Skip to main content

Wazuh EUVDEUVD-2026-12595

| CVE-2026-25769 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-03-17 GitHub_M
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Apr 16, 2026 - 05:50 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
4.14.3
PoC Detected
Mar 18, 2026 - 14:52 vuln.today
Public exploit code
EUVD ID Assigned
Mar 17, 2026 - 20:30 euvd
EUVD-2026-12595
Analysis Generated
Mar 17, 2026 - 20:30 vuln.today
CVE Published
Mar 17, 2026 - 17:41 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

Wazuh is a free and open source platform used for threat prevention, detection, and response. Versions 4.0.0 through 4.14.2 have a Remote Code Execution (RCE) vulnerability due to Deserialization of Untrusted Data). All Wazuh deployments using cluster mode (master/worker architecture) and any organization with a compromised worker node (e.g., through initial access, insider threat, or supply chain attack) are impacted. An attacker who gains access to a worker node (through any means) can achieve full RCE on the master node with root privileges. Version 4.14.3 fixes the issue.

AnalysisAI

A critical deserialization vulnerability in Wazuh's cluster mode allows attackers with access to any worker node to achieve remote code execution with root privileges on the master node. The vulnerability affects Wazuh versions 4.0.0 through 4.14.2 and poses severe risk to organizations using Wazuh in distributed deployments, as compromise of any single worker node can lead to full cluster takeover. While no active exploitation has been reported (not in KEV), proof-of-concept materials are publicly available via the Google Drive link in the advisory.

Technical ContextAI

The vulnerability stems from unsafe deserialization of untrusted data (CWE-502) in Wazuh's cluster communication protocol between master and worker nodes. Wazuh (CPE: cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*) is an open-source security monitoring platform that uses a master-worker architecture in cluster mode for distributed threat detection and response. The deserialization flaw allows malicious payloads sent from a compromised worker node to be executed on the master node without proper validation, a classic example of trusting internal network communications without verification.

RemediationAI

Immediately upgrade all Wazuh cluster deployments to version 4.14.3 or later, which contains the security fix for this deserialization vulnerability. Until patching is complete, implement network segmentation between worker and master nodes, monitor for suspicious cluster communication patterns, and review worker node access controls to prevent initial compromise. Additional technical details and proof-of-concept information can be found at https://drive.google.com/drive/folders/1WlkKNmHexz8212OVED9O6M_3pI8b6qNI?usp=sharing, though accessing this should be limited to security teams for assessment purposes.

More in Wazuh

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2021-44079 CRITICAL POC
9.8 Nov 22

In the wazuh-slack active response script in Wazuh 4.2.x before 4.2.5, untrusted user agents are passed to a curl comman

CVE-2018-19666 HIGH POC
7.8 Nov 29

The agent in OSSEC through 3.1.0 on Windows allows local users to gain NT AUTHORITY\SYSTEM access via Directory Traversa

CVE-2024-1243 HIGH POC
7.2 Jun 11

CVE-2024-1243 is an improper input validation vulnerability in Wazuh agent for Windows (versions prior to 4.8.0) that al

CVE-2021-41821 MEDIUM POC
6.5 Sep 29

Wazuh Manager in Wazuh through 4.1.5 is affected by a remote Integer Underflow vulnerability that might lead to denial o

CVE-2026-56699 CRITICAL
10.0 Jul 15

NDJSON injection in Wazuh Manager before 5.0.0-beta3 lets any enrolled agent smuggle arbitrary OpenSearch bulk operation

CVE-2024-32038 CRITICAL
9.8 Apr 19

Wazuh is a free and open source platform used for threat prevention, detection, and response. Rated critical severity (C

CVE-2026-25770 CRITICAL
9.1 Mar 17

Privilege escalation in Wazuh Manager versions 3.9.0 through 4.14.2 allows authenticated cluster nodes to achieve unauth

CVE-2026-30893 CRITICAL POC
9.0 Apr 29

Wazuh Manager (4.4.0 through 4.14.3) contains a path traversal vulnerability in the cluster synchronization routine that

CVE-2023-42455 HIGH
8.8 Oct 09

Wazuh is a security detection, visibility, and compliance open source project. Rated high severity (CVSS 8.8), this vuln

CVE-2022-40497 HIGH
8.8 Sep 28

Wazuh v3.6.1 - v3.13.5, v4.0.0 - v4.2.7, and v4.3.0 - v4.3.7 were discovered to contain an authenticated remote code exe

CVE-2021-26814 HIGH
8.8 Mar 06

Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileg

Share

EUVD-2026-12595 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy