Unsafe Deserialization RCE in Wazuh DistributedAPI

This repository provides a working proof-of-concept (PoC) exploit for CVE-2025-24016, a remote code execution (RCE) vulnerability in Wazuh server versions 4.4.0 through 4.9.0. The exploit leverages unsafe deserialization in the Wazuh DistributedAPI, specifically targeting the '/security/user/authenticate/run_as' endpoint. The main script, 'CVE-2025-24016.py', is a Python tool that takes the target URL, attacker's IP (LHOST), and port (LPORT) as arguments, along with optional authentication credentials (defaulting to 'wazuh-wui:MyS3cr37P450r.*-'). It crafts a malicious JSON payload that abuses the '__unhandled_exc__' deserialization to execute arbitrary Python code on the server, resulting in a reverse shell connection back to the attacker's machine. The exploit requires valid API credentials and network access to the Wazuh server's API endpoint. The repository also includes a README.md with detailed vulnerability explanation, usage instructions, and a sample Burp Suite request. The code is a functional PoC and does not include advanced features or payload customization, but demonstrates the vulnerability's impact clearly.

This repository contains a single Python exploit script (CVE-2025-24016.py) and a brief README. The exploit targets Wazuh version 8.4, specifically exploiting CVE-2025-24016, a remote code execution (RCE) vulnerability. The script requires the attacker to provide the target URL (typically https://<worker-server>:55000/security/user/authenticate/run_as), the attacker's IP (LHOST), and port (LPORT) for the reverse shell. Optional arguments include authentication credentials (defaulting to 'wazuh-wui' and 'MyS3cr37P450r.*-'), proxy usage, and configuration file path. The exploit works by sending a crafted JSON payload to the Wazuh server's authentication endpoint, abusing deserialization to trigger os.system and execute a bash reverse shell command. If successful, the Wazuh server connects back to the attacker's machine, providing a shell. The script includes input validation, logging, and colored output for usability. No detection or scanning functionality is present; this is a direct exploit. The only endpoints referenced are the Wazuh API endpoint, the attacker's IP/port for the reverse shell, and an optional local proxy for traffic interception.

This repository provides a working proof-of-concept (PoC) exploit for CVE-2025-24016, a critical remote code execution (RCE) vulnerability in the Wazuh server (wazuh-manager) versions 4.4.0 through 4.9.0. The exploit leverages unsafe deserialization in the Wazuh API's /security/user/authenticate/run_as endpoint, allowing an authenticated attacker to execute arbitrary Python code on the server. The main exploit script (CVE-2025-24016-POC.py) constructs a malicious JSON payload using the __reduce__ method to trigger code execution via Python's os.system or subprocess modules. The script sends this payload to the vulnerable endpoint using HTTP POST, authenticating with a base64-encoded username and password. The README.md provides detailed vulnerability context, example payloads, and mitigation advice. The repository contains three files: the exploit script (Python), a README with technical and usage details, and a standard MIT license. The exploit is operational, requiring valid API credentials and network access to the Wazuh API endpoint.

This repository contains a Python exploit script (exploit_wazuh.py) and a requirements.txt file specifying dependencies. The exploit targets Wazuh worker servers accessible over HTTPS, defaulting to port 55000, and requires valid HTTP Basic Authentication credentials. The script sends a specially crafted JSON payload to the '/security/user/authenticate/run_as' endpoint, exploiting insecure deserialization or command injection to execute arbitrary system commands on the server. The output of the command is returned to the attacker. The repository is operational, providing a working exploit with customizable command execution, but does not include advanced payload management or integration with exploitation frameworks.

This repository contains a Python proof-of-concept exploit for CVE-2025-24016, a remote code execution (RCE) vulnerability in Wazuh servers. The exploit leverages unsafe deserialization in the Wazuh DistributedAPI (DAPI), specifically by injecting a crafted dictionary into a DAPI request to the '/security/user/authenticate/run_as' endpoint. The main script, 'CVE-2025-24016.py', is a command-line tool that requires the attacker to specify the target URL, their own IP address, and a port for the reverse shell. It authenticates to the Wazuh server (with default or user-supplied credentials), sends a malicious JSON payload that triggers the vulnerability, and attempts to establish a reverse shell back to the attacker's machine. The repository also includes a README with detailed usage instructions and a requirements.txt for dependencies. The exploit is operational, providing a working reverse shell if the target is vulnerable and accessible. No detection-only scripts are present; the code is a functional exploit.