Addressing the CVE-2025-24016 vulnerability

| by Wazuh
Post icon

Recent articles have linked CVE-2025-24016, an old Wazuh server vulnerability, to botnet activity via remote code execution. This issue was fixed in October 2024 with version 4.9.1. Any instance running 4.9.1 or later is fully patched and secure.

It’s also important to understand the nature of CVE-2025-24016. This is an authenticated vulnerability, meaning it can only be exploited if the attacker has valid administrative API credentials and access to the Wazuh server API. As such, the likelihood of exploitation is low, and the overall risk is limited. Our investigation confirmed that this vulnerability impacted none of our customers.

Conditions for exploiting the CVE-2025-24016 vulnerability

Exploiting CVE-2025-24016 is only possible under specific and avoidable conditions, many of which violate recommended security practices:

  • The Wazuh server must be running a vulnerable version (4.4.0 to 4.9.0).
  • The Wazuh server API must be accessible to the attacker, typically over the internet. This is a setup we strongly discourage.
  • The attacker must have valid administrator-level API credentials, typically obtained by credential theft, default passwords, or poor security practices.

For a complete list of affected versions and detailed patch information, please refer to our official security advisory on GitHub:

https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh.

Mitigation

Here are recommendations to protect your Wazuh installation:

1. Make sure your Wazuh deployment is up to date. We strongly recommend upgrading if you’re using a version between 4.4.0 and 4.9.0.

2. Ensure that default credentials are changed during the Wazuh deployment process. You can find detailed instructions for securing your installation here:

https://documentation.wazuh.com/current/installation-guide/wazuh-dashboard/step-by-step.html#securing-your-wazuh-installation.

3. Do not expose your Wazuh APIs to the internet. Exposing your Wazuh APIs to the internet can lead to external exploitation.

Conclusion

We assure our customers that they are not affected by this vulnerability, and the vast majority of users are likely unaffected as well. Only deployments with poor security practices such as exposed APIs and weak credentials would be at risk.

As an open-source project, Wazuh benefits from transparency and community collaboration, enabling fast identification and remediation of vulnerabilities. We invite users to contribute to our security efforts at https://github.com/wazuh/wazuh/security. Thank you for your continued trust and support.