Plattform
linux
Komponente
wazuh
Behoben in
3.9.1
A privilege escalation vulnerability has been identified in Wazuh Manager, a threat prevention and detection platform. This flaw, present in versions 3.9.0 up to, but not including, 4.14.3, allows authenticated nodes to write arbitrary files as the wazuh system user. The vulnerability stems from insecure default permissions within the cluster synchronization protocol, enabling attackers to modify critical configuration files.
The core impact of CVE-2026-25770 lies in the ability for an attacker to gain elevated privileges on the Wazuh Manager. Specifically, the wazuh-clusterd service allows authenticated nodes to overwrite files with the permissions of the wazuh user. Because the wazuh user has write access to /var/ossec/etc/ossec.conf, the primary Wazuh configuration file, an attacker can modify this file to alter Wazuh's behavior. This could include disabling security rules, adding malicious agents, or even gaining remote code execution capabilities. The blast radius extends to all systems monitored by the Wazuh Manager, as a compromised manager can silently alter security policies and introduce backdoors.
CVE-2026-25770 was publicly disclosed on March 17, 2026. Its CRITICAL CVSS score indicates a high probability of exploitation. As of this writing, no public proof-of-concept (PoC) code has been released, but the vulnerability's ease of exploitation suggests it is likely to become a target. It has not yet been added to the CISA KEV catalog.
Organizations utilizing Wazuh Manager versions 3.9.0 through 4.14.2 are at risk. This includes those relying on Wazuh for security monitoring and incident response, particularly those with exposed cluster synchronization interfaces or inadequate network segmentation. Shared hosting environments running Wazuh Manager are also at increased risk due to potential shared access to the Wazuh cluster.
• linux / server:
journalctl -u wazuh-clusterd | grep -i "write access"• linux / server:
find /var/ossec/etc/ossec.conf -type f -mmin -60 # Check for recent modifications• linux / server:
lsof -i :1567 -p $(pidof wazuh-clusterd) # Check for connections to the cluster protocoldisclosure
Exploit-Status
EPSS
0.05% (14% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-25770 is to upgrade Wazuh Manager to version 4.14.3 or later, which contains the fix. If an immediate upgrade is not possible, consider temporarily restricting access to the cluster synchronization protocol. Review Wazuh agent configurations and audit logs for any suspicious activity. Implement strict network segmentation to limit access to the Wazuh Manager. After upgrading, verify the integrity of the /var/ossec/etc/ossec.conf file by comparing its hash against a known good baseline.
Actualice Wazuh Manager a la versión 4.14.3 o superior. Esto corrige la vulnerabilidad de escalada de privilegios en el protocolo de sincronización del clúster.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-25770 is a critical vulnerability in Wazuh Manager versions 3.9.0 to 4.14.2, allowing authenticated nodes to overwrite configuration files, potentially leading to privilege escalation.
If you are running Wazuh Manager version 3.9.0 or later, and before version 4.14.3, you are potentially affected by this vulnerability.
Upgrade Wazuh Manager to version 4.14.3 or later to remediate the vulnerability. Consider temporary access restrictions as an interim measure.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest it is likely to become a target.
Refer to the official Wazuh security advisory for detailed information and updates: [https://www.wazuh.com/security-advisories/](https://www.wazuh.com/security-advisories/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.