Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 3.9.0 and prior to version 4.14.3, a privilege escalation vulnerability exists in the Wazuh Manager's cluster synchronization protocol. The `wazuh-clusterd` service allows authenticated nodes to write arbitrary files to the manager’s file system with the permissions of the `wazuh` system user. Due to insecure default permissions, the `wazuh` user has write access to the manager's main configuration file (`/var/ossec/etc/ossec.conf`). By leveraging the cluster protocol to overwrite `ossec.conf`, an attacker can inject a malicious `<localfile>` command block. The `wazuh-logcollector` service, which runs as root, parses this configuration and executes the injected command. This chain allows an attacker with cluster credentials to gain full Root Remote Code Execution, violating the principle of least privilege and bypassing the intended security model. Version 4.14.3 fixes the issue.
Published: 2026-03-17
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Root Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

An attacker with authenticated cluster credentials can exploit the wazuh-clusterd service on the Wazuh Manager to write arbitrary files with the wazuh system user’s permissions. Because the wazuh user has write access to the main configuration file \/var\/ossec\/etc\/ossec.conf, a malicious <localfile> command can be injected. The wazuh‑logcollector service, running as root, parses this configuration and executes the injected commands, resulting in full root privilege escalation. The weakness involves insecure default permissions (CWE‑732), improper privilege escalation (CWE‑269), and path traversal (CWE‑22).

Affected Systems

The vulnerability affects Wazuh Manager versions from 3.9.0 through 4.14.2, where cluster synchronization allows file writes with wazuh user ownership. Version 4.14.3 includes a fix that blocks unauthorized writes and removes the insecure default permissions.

Risk and Exploitability

With a CVSS score of 9.1 the threat is classified as critical. The EPSS score of under 1% indicates limited known exploitation, and the vulnerability is not yet listed in the CISA KEV catalog. Nonetheless, because any cluster node with valid credentials can initiate the exploit, the risk to systems with active cluster configurations is high. The attack requires only authenticated cluster access; no further privilege escalation steps are needed to achieve root RCE.

Generated by OpenCVE AI on March 19, 2026 at 19:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wazuh to version 4.14.3 or later to apply the vendor patch that prevents unauthorized file writes and removes insecure default permissions.

Generated by OpenCVE AI on March 19, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*

Wed, 18 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wazuh
Wazuh wazuh
Vendors & Products Wazuh
Wazuh wazuh

Tue, 17 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 3.9.0 and prior to version 4.14.3, a privilege escalation vulnerability exists in the Wazuh Manager's cluster synchronization protocol. The `wazuh-clusterd` service allows authenticated nodes to write arbitrary files to the manager’s file system with the permissions of the `wazuh` system user. Due to insecure default permissions, the `wazuh` user has write access to the manager's main configuration file (`/var/ossec/etc/ossec.conf`). By leveraging the cluster protocol to overwrite `ossec.conf`, an attacker can inject a malicious `<localfile>` command block. The `wazuh-logcollector` service, which runs as root, parses this configuration and executes the injected command. This chain allows an attacker with cluster credentials to gain full Root Remote Code Execution, violating the principle of least privilege and bypassing the intended security model. Version 4.14.3 fixes the issue.
Title Wazuh has Privilege Escalation to Root via Cluster Protocol File Write
Weaknesses CWE-22
CWE-269
CWE-732
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Wazuh Wazuh
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T13:05:19.277Z

Reserved: 2026-02-05T18:35:52.359Z

Link: CVE-2026-25770

cve-icon Vulnrichment

Updated: 2026-03-17T18:15:32.117Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T18:16:15.437

Modified: 2026-03-19T17:11:26.750

Link: CVE-2026-25770

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:48:57Z

Weaknesses