Ddos 
Wazuh, the popular open-source security platform trusted by organizations to protect cloud and on-premises workloads, is facing a serious security challenge. Researchers have detailed two critical vulnerabilitiesβCVE-2026-25769 and CVE-2026-25770βthat together could allow an attacker to seize total control of a security monitoring cluster.
Both flaws carry a CVSS score of 9.1, signaling a “Critical” severity threat that could lead to the complete compromise of an organization’s security infrastructure.
The first vulnerability is a classic case of Insecure Deserialization (CWE-502). The flaw lies deep within the Wazuh Cluster’s communication framework, specifically in how it handles JSON messages.
When the cluster processes data, it uses a function called as_wazuh_object() to turn JSON strings back into Python objects. However, the function is “too trusting”. It allows user-controlled input to define which Python modules to import and which functions to execute without any whitelist validation.
If an attacker compromises a single worker node, they can send a “poisoned” message to the master node. The master node will deserialize the message, unwittingly execute the attacker’s code, and grant them full RCE with root privileges.
Even if an attacker only has unprivileged access to the cluster, the second vulnerability provides a clear path to becoming a “superuser”. This flaw involves the Wazuh Cluster Protocol (port 1516), which is responsible for syncing files between nodes.
The wazuh-clusterd service, which runs as an unprivileged user, fails to “chroot” or restrict where it can write incoming files. By exploiting insecure default permissions, an attacker can force the service to overwrite the manager’s main configuration file, ossec.conf.
- Injection: The attacker sends a crafted network packet to overwrite ossec.conf with a malicious command block.
- Execution: The wazuh-logcollector serviceβwhich does run as rootβparses the new configuration and executes the injected command.
- Result: The attacker achieves Vertical Privilege Escalation, turning a cluster key into root-level access.
The consequences of these vulnerabilities are severe. An attacker could silently bypass security alerts, exfiltrate data from all monitored systems, or even pivot from the security cluster to production systems via agent commands.
Wazuh has released patches to address these issues. Administrators should upgrade to version 4.14.3 or newer immediately.
Beyond patching, experts recommend hardening file permissions. Specifically, the ossec.conf file should be owned by root and set to read-only for the wazuh group (permissions 640) to prevent unprivileged services from tampering with it. Additionally, the cluster service should be modified to only allow file writes to specific, non-executable data directories.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
