The Watchman Who Left the Gate Open: Wazuh RCE Analysis
Jan 15, 2026·6 min read·46 visits
Executive Summary (TL;DR)
Wazuh, the popular open-source SIEM, contains a fatal flaw in how it processes JSON data between cluster nodes. By sending a specially crafted request with an `__unhandled_exc__` key, an attacker can trick the server into instantiating arbitrary Python classes. This leads to full RCE as the `wazuh` user. The vulnerability is actively exploited by Mirai botnets. Patch immediately to version 4.9.1.
A critical Remote Code Execution (RCE) vulnerability in Wazuh Manager allows unauthenticated attackers to execute arbitrary commands via the Distributed API. This flaw arises from insecure deserialization logic where the system blindly trusts user-supplied data to reconstruct Python exceptions.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Wazuh Manager Wazuh | >= 4.4.0, < 4.9.1 | 4.9.1 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-502 (Deserialization of Untrusted Data) |
| CVSS v3.1 | 9.9 (Critical) |
| Attack Vector | Network (API) |
| Privileges Required | None / Low |
| EPSS Score | 0.93 (93.40%) |
| Exploit Status | Active / Weaponized |
| KEV Listed | Yes (2025-06-10) |
MITRE ATT&CK Mapping
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.