Vulnerability Description
CVE-2025-42016 is a critical (CVSS 9.9) remote code execution (RCE) vulnerability affecting Wazuh versions 4.4.0 through 4.9.0. The flaw stems from unsafe deserialization of JSON objects within the DistributedAPI (DAPI), specifically in the az_wazuh_object function.
Any threat actor with API access (including a compromised dashboard, internal server, or a compromised agent) can exploit this vulnerability to execute arbitrary Python code on Wazuh servers by injecting an unsanitized dictionary into DAPI requests. A publicly available proof of concept (PoC) exploit published on GitHub demonstrates RCE through a crafted request to the /security/user/authenticate/run_as URI.
Threat Activity
Akamai’s Security Intelligence Response Team (SIRT) was the first to observe exploitation activity in early March 2025. The initial wave involved a Mirai variant known as “morte”, which deploys a malicious shell script to download the main payload. Akamai suggested these samples appear to be LZRD Mirai variants.
In early May 2025, Akamai observed a second campaign leveraging the Resbot (aka Resentual) botnet, delivering a payload named “resgod”, identified by its hard-coded console string: “Resentual got you!” Both botnets used similar delivery methods, and Akamai’s report includes IOCs, malware samples, and Snort/Yara rules to support detection efforts.
Additionally at the time of writing, 12 malicious IPs were observed attempting to exploit this vulnerability in GreyNoise Visualizer.
Despite early signs of exploitation activity, this vulnerability was just recently added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog on June 10, 2025.
| Field | Details |
|---|---|
| CVE-ID | CVE-2025-24016 – CVSS 9.9 (Critical) – assigned by GitHub Inc. |
| Vulnerability Description | Authenticated RCE due to improper input validation of the _from parameter in program/actions/settings/upload.php |
| Date of Disclosure | February 10, 2025 |
| Date Reported as Actively Exploited | Evidence of active exploitation first observed in Early March 2025 by Akamai SIRT |
| Affected Assets | Unsafe deserialization of JSON objects within the DistributedAPI, specifically in the az_wazuh_object function of Wazuh 4.4.0 – 4.9.0 |
| Vulnerable Software Versions | Wazuh 4.4.0 – 4.9.0 |
| PoC Available? | Public exploit code has been published on GitHub. |
| Exploitation Status | This vulnerability is known to be actively exploited and was added to CISA KEV on June 10, 2025. Akamai SIRT attributed activity to deploying the Mirai botnet in early March 2025 and early May 2025. |
| Patch Status | Wazuh version 4.9.1 contains a fix for this vulnerability. |
Censys Perspective
At the time of writing, Censys observed 17,329 exposed Wazuh servers instances online, many of which are exposing version information. The versions in the table below were observed most frequently:
| Version | Vulnerability Status | Host Count |
| 4.12.0 | Not Vulnerable | 1,350 |
| 4.11.2 | Not Vulnerable | 1,185 |
| 4.10.1 | Not Vulnerable | 340 |
| 4.9.2 | Not Vulnerable | 338 |
| 4.11.1 | Not Vulnerable | 283 |
| 4.11.0 | Not Vulnerable | 251 |
| 4.9.0 | Vulnerable | 116 |
| 4.9.1 | Not Vulnerable | 77 |
| 4.10.0 | Not Vulnerable | 54 |
| 4.10.2 | Not Vulnerable | 7 |
The majority of Wazuh servers exposing versions appear to be patched. However, a significant number of hosts did not reliably expose version information and should therefore be considered potentially vulnerable.
The queries below can be used to identify exposed instances of Wazuh servers, but they are not necessarily vulnerable to the exploit. Please note that these fingerprints were recently modified as results may take up to 24 hours to fully propagate.
web.software: (vendor: "Wazuh" and product: "Wazuh")services.software: (vendor="Wazuh" and product="Wazuh")host.services.software: (vendor="Wazuh" and product="Wazuh") or web_entity.instances.software: (vendor="Wazuh" and product="Wazuh")The query below can be used to find instances of Wazuh server that are vulnerable to the exploit. Please note that this risk was recently deployed and results may take up to 24 hours to fully propagate.
risks.name = "Vulnerable Wazuh [CVE-2025-24016]"