CVE-2026-25770
Received Received - Intake
Privilege Escalation in Wazuh Manager Enables Root RCE

Publication date: 2026-03-17

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 3.9.0 and prior to version 4.14.3, a privilege escalation vulnerability exists in the Wazuh Manager's cluster synchronization protocol. The `wazuh-clusterd` service allows authenticated nodes to write arbitrary files to the manager’s file system with the permissions of the `wazuh` system user. Due to insecure default permissions, the `wazuh` user has write access to the manager's main configuration file (`/var/ossec/etc/ossec.conf`). By leveraging the cluster protocol to overwrite `ossec.conf`, an attacker can inject a malicious `<localfile>` command block. The `wazuh-logcollector` service, which runs as root, parses this configuration and executes the injected command. This chain allows an attacker with cluster credentials to gain full Root Remote Code Execution, violating the principle of least privilege and bypassing the intended security model. Version 4.14.3 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-17
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25770
EUVD
EUVD-2026-12597
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wazuh wazuh From 3.9.0 (inc) to 4.14.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-25770 is a critical privilege escalation vulnerability in the Wazuh Manager's cluster synchronization protocol affecting versions from 3.9.0 up to but not including 4.14.3."}, {'type': 'paragraph', 'content': "The vulnerability exists because the wazuh-clusterd service, which runs as the unprivileged 'wazuh' user, allows authenticated cluster nodes to write arbitrary files to the manager’s filesystem without proper path validation or directory restrictions."}, {'type': 'paragraph', 'content': 'Specifically, the service concatenates user-controlled relative file paths directly with the base path without sanitizing for path traversal, enabling an attacker to overwrite critical files like the main configuration file ossec.conf.'}, {'type': 'paragraph', 'content': "Because the ossec.conf file has insecure default permissions allowing the 'wazuh' user to write to it, an attacker can inject malicious command blocks into this configuration."}, {'type': 'paragraph', 'content': 'The wazuh-logcollector service, which runs as root, parses this poisoned configuration and executes the injected commands, resulting in full root remote code execution.'}, {'type': 'paragraph', 'content': "This breaks the security model by escalating privileges from the 'wazuh' user to root without requiring local user accounts or user interaction."}] [1]

Impact Analysis

This vulnerability allows an attacker with cluster credentials to gain full root remote code execution on the Wazuh Manager system.

With root access, the attacker can execute arbitrary commands, modify or delete critical files, disrupt services, and potentially move laterally within the network.

The attack requires network access to the Wazuh Cluster Protocol port and possession of the Cluster Key, which could be obtained through compromise of a worker node, insider knowledge, or leaked backups.

The impact includes complete loss of confidentiality, integrity, and availability of the affected system.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "Detection of this vulnerability involves checking for unauthorized or suspicious writes to the Wazuh Manager's main configuration file (/var/ossec/etc/ossec.conf) and monitoring network activity on TCP port 1516, which is used by the Wazuh Cluster Protocol."}, {'type': 'paragraph', 'content': 'You can verify if your Wazuh Manager version is vulnerable by checking the installed version; versions starting from 3.9.0 up to before 4.14.3 are affected.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': 'Check Wazuh Manager version: `wazuh-manager -v` or check package version via your package manager.'}, {'type': 'list_item', 'content': "Check permissions of the ossec.conf file: `ls -l /var/ossec/etc/ossec.conf` (look for group-write permissions allowing the 'wazuh' user to write)."}, {'type': 'list_item', 'content': 'Monitor recent changes to ossec.conf: `stat /var/ossec/etc/ossec.conf` or `ls -ltr /var/ossec/etc/ossec.conf`.'}, {'type': 'list_item', 'content': 'Search for suspicious <localfile> command blocks in ossec.conf that could indicate injection.'}, {'type': 'list_item', 'content': 'Monitor network connections on TCP port 1516 to detect unusual cluster protocol activity: `netstat -anp | grep 1516` or `ss -anp | grep 1516`.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Upgrade Wazuh Manager to version 4.14.3 or later, where the vulnerability is fixed.'}, {'type': 'list_item', 'content': "Harden the permissions of the main configuration file (/var/ossec/etc/ossec.conf) to prevent write access by the 'wazuh' user. Set permissions to root:wazuh with mode 640 (e.g., `chmod 640 /var/ossec/etc/ossec.conf` and `chown root:wazuh /var/ossec/etc/ossec.conf`)."}, {'type': 'list_item', 'content': 'Enforce strict chroot or allowlist restrictions in the wazuh-clusterd service to limit file writes to safe directories such as /var/ossec/var/cluster/incoming and reject writes to sensitive paths.'}, {'type': 'list_item', 'content': 'Restrict access to the cluster key and monitor for any unauthorized access to cluster credentials.'}, {'type': 'list_item', 'content': 'Monitor network traffic on TCP port 1516 and audit cluster node activities to detect and prevent exploitation attempts.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25770. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart