Wazuh

CVE	Summary	Severity	CVSS	EPSS	Priority	Signals
CVE-2025-24016	Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI that allows remote code execution on Wazuh management servers.	CRITICAL	9.9	93.9%	100	KEV
CVE-2026-25769	A critical deserialization vulnerability in Wazuh's cluster mode allows attackers with access to any worker node to achieve remote code execution with root privileges on the master node. The vulnerability affects Wazuh versions 4.0.0 through 4.14.2 and poses severe risk to organizations using Wazuh in distributed deployments, as compromise of any single worker node can lead to full cluster takeover. While no active exploitation has been reported (not in KEV), proof-of-concept materials are publicly available via the Google Drive link in the advisory.	CRITICAL	9.1	0.4%	66	PoC
CVE-2024-1243	CVE-2024-1243 is an improper input validation vulnerability in Wazuh agent for Windows (versions prior to 4.8.0) that allows attackers with control over the Wazuh server or possession of agent keys to redirect agents to malicious UNC paths, resulting in NetNTLMv2 hash leakage. The leaked hash can be relayed for remote code execution or abused for privilege escalation to SYSTEM level via AD CS certificate forging. This vulnerability represents a critical supply-chain/credential-leakage risk for Windows environments using Wazuh, though exploitation requires elevated privileges (high PR requirement) and knowledge of agent keys or server compromise.	HIGH	7.2	0.5%	57	PoC
CVE-2026-25770	Privilege escalation in Wazuh Manager versions 3.9.0 through 4.14.2 allows authenticated cluster nodes to achieve unauthenticated root code execution by exploiting insecure file permissions in the cluster synchronization protocol. An attacker with cluster node access can overwrite the manager's configuration file to inject malicious commands that are subsequently executed with root privileges by the logcollector service. This vulnerability affects multi-node Wazuh deployments and has no available patch.	CRITICAL	9.1	0.1%	46
CVE-2026-30893	Wazuh Manager (4.4.0 through 4.14.3) contains a path traversal vulnerability in the cluster synchronization routine that allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes. Writing to sensitive locations such as cron directories or Python module paths leads to remote code execution. CVSS 9.0 Critical (network-accessible, high privilege required, scope changed). Patch available in v4.14.4; no active exploitation identified.	CRITICAL	9.0	0.1%	45	PoC
CVE-2026-32983	Wazuh Manager authd service through version 4.7.3 fails to properly restrict client-initiated SSL/TLS renegotiation, enabling remote attackers to trigger denial of service by flooding the service with excessive renegotiation requests that exhaust CPU resources and render the authentication daemon unavailable. The vulnerability affects all Wazuh Manager installations up to and including version 4.7.3, requires no authentication or user interaction, and can be exploited over the network by any remote actor. No public exploit code or active exploitation has been confirmed at this time, though the straightforward nature of renegotiation-based DoS attacks and moderate CVSS score of 6.9 indicate practical exploitability.	MEDIUM	6.9	0.1%	35	No patch
CVE-2026-28221	Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.8.0 to before version 4.14.4, a stack-bas	MEDIUM	6.5	0.1%	33
CVE-2026-26206	Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, Wazuh's ser	MEDIUM	6.5	0.0%	33
CVE-2026-41499	Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, multiple he	MEDIUM	6.5	0.0%	33
CVE-2026-25771	Denial of service in Wazuh 4.3.0 through 4.14.2 allows unauthenticated attackers to exhaust API resources by sending crafted Bearer token requests that trigger blocking disk I/O operations in the authentication middleware, preventing the single-threaded event loop from processing legitimate connections. The vulnerability exists because synchronous file operations are called on every API request without proper resource constraints, enabling attackers to starve the application of CPU availability with relatively low request volumes. No patch is currently available.	MEDIUM	5.3	0.1%	27
CVE-2026-32984	Wazuh authd daemon contains a heap-buffer overflow vulnerability (CWE-125) triggered by specially crafted input from authenticated remote users, causing memory corruption and denial of service to the authentication daemon. The vulnerability affects all versions of Wazuh (CPE: cpe:2.3:a:wazuh:wazuh::::::::) and requires authenticated network access to exploit; no public exploit code or active exploitation has been confirmed at this time.	MEDIUM	5.3	0.1%	27	No patch
CVE-2026-25790	Stack-based buffer overflow in Wazuh manager versions 3.9.0 through 4.14.3 allows remote attackers with high privileges to crash the `wazuh-analysisd` service via malformed JSON events, resulting in denial of service. The vulnerability stems from unsafe use of sprintf with floating-point format specifiers in the Security Configuration Assessment decoder, and may potentially enable remote code execution on affected Wazuh installations.	MEDIUM	4.9	0.1%	25
CVE-2026-25772	Stack-based buffer overflow in Wazuh 4.4.0 through 4.14.2 allows authenticated remote attackers with high privileges to trigger an integer underflow in the database synchronization module, causing denial of service or potential code execution. The vulnerability exists in SQL query construction logic within wdb_delta_event.c where improper size calculations on buffers exceeding 2048 bytes can corrupt the stack. A patch is available in version 4.14.3.	MEDIUM	4.9	0.0%	25
CVE-2026-26204	Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 1.0.0 to before version 4.14.4, a heap-base	MEDIUM	4.4	0.0%	22
CVE-2024-35177	Wazuh is a free and open source platform used for threat prevention, detection, and response. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.	HIGH	7.8	0.0%	–	PoC

CVE-2025-24016

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI that allows remote code execution on Wazuh management servers.

CRITICAL

9.9

93.9%

100

KEV

CVE-2026-25769

A critical deserialization vulnerability in Wazuh's cluster mode allows attackers with access to any worker node to achieve remote code execution with root privileges on the master node. The vulnerability affects Wazuh versions 4.0.0 through 4.14.2 and poses severe risk to organizations using Wazuh in distributed deployments, as compromise of any single worker node can lead to full cluster takeover. While no active exploitation has been reported (not in KEV), proof-of-concept materials are publicly available via the Google Drive link in the advisory.

CRITICAL

9.1

0.4%

66

PoC

CVE-2024-1243

CVE-2024-1243 is an improper input validation vulnerability in Wazuh agent for Windows (versions prior to 4.8.0) that allows attackers with control over the Wazuh server or possession of agent keys to redirect agents to malicious UNC paths, resulting in NetNTLMv2 hash leakage. The leaked hash can be relayed for remote code execution or abused for privilege escalation to SYSTEM level via AD CS certificate forging. This vulnerability represents a critical supply-chain/credential-leakage risk for Windows environments using Wazuh, though exploitation requires elevated privileges (high PR requirement) and knowledge of agent keys or server compromise.

HIGH

7.2

0.5%

57

PoC

CVE-2026-25770

Privilege escalation in Wazuh Manager versions 3.9.0 through 4.14.2 allows authenticated cluster nodes to achieve unauthenticated root code execution by exploiting insecure file permissions in the cluster synchronization protocol. An attacker with cluster node access can overwrite the manager's configuration file to inject malicious commands that are subsequently executed with root privileges by the logcollector service. This vulnerability affects multi-node Wazuh deployments and has no available patch.

CRITICAL

9.1

0.1%

46

CVE-2026-30893

Wazuh Manager (4.4.0 through 4.14.3) contains a path traversal vulnerability in the cluster synchronization routine that allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes. Writing to sensitive locations such as cron directories or Python module paths leads to remote code execution. CVSS 9.0 Critical (network-accessible, high privilege required, scope changed). Patch available in v4.14.4; no active exploitation identified.

CRITICAL

9.0

0.1%

45

PoC

CVE-2026-32983

Wazuh Manager authd service through version 4.7.3 fails to properly restrict client-initiated SSL/TLS renegotiation, enabling remote attackers to trigger denial of service by flooding the service with excessive renegotiation requests that exhaust CPU resources and render the authentication daemon unavailable. The vulnerability affects all Wazuh Manager installations up to and including version 4.7.3, requires no authentication or user interaction, and can be exploited over the network by any remote actor. No public exploit code or active exploitation has been confirmed at this time, though the straightforward nature of renegotiation-based DoS attacks and moderate CVSS score of 6.9 indicate practical exploitability.

MEDIUM

6.9

0.1%

35

No patch

CVE-2026-28221

Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.8.0 to before version 4.14.4, a stack-bas

MEDIUM

6.5

0.1%

33

CVE-2026-26206

Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, Wazuh's ser

MEDIUM

6.5

0.0%

33

CVE-2026-41499

Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, multiple he

MEDIUM

6.5

0.0%

33

CVE-2026-25771

Denial of service in Wazuh 4.3.0 through 4.14.2 allows unauthenticated attackers to exhaust API resources by sending crafted Bearer token requests that trigger blocking disk I/O operations in the authentication middleware, preventing the single-threaded event loop from processing legitimate connections. The vulnerability exists because synchronous file operations are called on every API request without proper resource constraints, enabling attackers to starve the application of CPU availability with relatively low request volumes. No patch is currently available.

MEDIUM

5.3

0.1%

27

CVE-2026-32984

Wazuh authd daemon contains a heap-buffer overflow vulnerability (CWE-125) triggered by specially crafted input from authenticated remote users, causing memory corruption and denial of service to the authentication daemon. The vulnerability affects all versions of Wazuh (CPE: cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*) and requires authenticated network access to exploit; no public exploit code or active exploitation has been confirmed at this time.

MEDIUM

5.3

0.1%

27

No patch

CVE-2026-25790

Stack-based buffer overflow in Wazuh manager versions 3.9.0 through 4.14.3 allows remote attackers with high privileges to crash the `wazuh-analysisd` service via malformed JSON events, resulting in denial of service. The vulnerability stems from unsafe use of sprintf with floating-point format specifiers in the Security Configuration Assessment decoder, and may potentially enable remote code execution on affected Wazuh installations.

MEDIUM

4.9

0.1%

25

CVE-2026-25772

Stack-based buffer overflow in Wazuh 4.4.0 through 4.14.2 allows authenticated remote attackers with high privileges to trigger an integer underflow in the database synchronization module, causing denial of service or potential code execution. The vulnerability exists in SQL query construction logic within wdb_delta_event.c where improper size calculations on buffers exceeding 2048 bytes can corrupt the stack. A patch is available in version 4.14.3.

MEDIUM

4.9

0.0%

25

CVE-2026-26204

Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 1.0.0 to before version 4.14.4, a heap-base

MEDIUM

4.4

0.0%

22

CVE-2024-35177

Wazuh is a free and open source platform used for threat prevention, detection, and response. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

HIGH

7.8

0.0%

–

PoC

Severity Breakdown

Monthly CVE Trend

Affected Products (2)

Top Risky CVEs