Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. Versions 4.0.0 through 4.14.2 have a Remote Code Execution (RCE) vulnerability due to Deserialization of Untrusted Data). All Wazuh deployments using cluster mode (master/worker architecture) and any organization with a compromised worker node (e.g., through initial access, insider threat, or supply chain attack) are impacted. An attacker who gains access to a worker node (through any means) can achieve full RCE on the master node with root privileges. Version 4.14.3 fixes the issue.
Published: 2026-03-17
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

Wazuh versions 4.0.0 through 4.14.2 contain a Remote Code Execution (RCE) vulnerability caused by deserialization of untrusted data (CWE-502). An attacker who obtains any access to a worker node can execute arbitrary code with root privileges on the master node, compromising the entire cluster.

Affected Systems

The affected product is Wazuh, specifically deployments using the cluster mode (master/worker architecture). All versions from 4.0.0 up to and including 4.14.2 are impacted; version 4.14.3 and later contain the fix.

Risk and Exploitability

This vulnerability has a CVSS score of 9.1, indicating a high severity. The EPSS score is below 1%, suggesting a low current probability of exploitation, and it is not listed in CISA's KEV catalog. The attack requires initial compromise of a worker node; once achieved, the attacker can leverage the insecure deserialization to achieve full RCE on the master node with root-level access. The high impact combined with the need for worker node access makes it a significant threat to clusters with insufficient isolation or hardening, especially those exposed to the internet or with sparse network segmentation.

Generated by OpenCVE AI on March 19, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wazuh to version 4.14.3 or later.

Generated by OpenCVE AI on March 19, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wazuh
Wazuh wazuh
Vendors & Products Wazuh
Wazuh wazuh

Tue, 17 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Wazuh is a free and open source platform used for threat prevention, detection, and response. Versions 4.0.0 through 4.14.2 have a Remote Code Execution (RCE) vulnerability due to Deserialization of Untrusted Data). All Wazuh deployments using cluster mode (master/worker architecture) and any organization with a compromised worker node (e.g., through initial access, insider threat, or supply chain attack) are impacted. An attacker who gains access to a worker node (through any means) can achieve full RCE on the master node with root privileges. Version 4.14.3 fixes the issue.
Title Wazuh Cluster vulnerable to Remote Code Execution via Insecure Deserialization
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Wazuh Wazuh
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T03:55:49.623Z

Reserved: 2026-02-05T18:35:52.359Z

Link: CVE-2026-25769

cve-icon Vulnrichment

Updated: 2026-03-17T18:19:21.672Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T18:16:15.267

Modified: 2026-03-19T17:18:30.560

Link: CVE-2026-25769

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:48:58Z

Weaknesses