Platform
linux
Component
wazuh
Fixed in
3.9.1
A privilege escalation vulnerability has been identified in Wazuh Manager, a threat prevention and detection platform. This flaw, present in versions 3.9.0 up to, but not including, 4.14.3, allows authenticated nodes to write arbitrary files as the wazuh system user. The vulnerability stems from insecure default permissions within the cluster synchronization protocol, enabling attackers to modify critical configuration files.
The core impact of CVE-2026-25770 lies in the ability for an attacker to gain elevated privileges on the Wazuh Manager. Specifically, the wazuh-clusterd service allows authenticated nodes to overwrite files with the permissions of the wazuh user. Because the wazuh user has write access to /var/ossec/etc/ossec.conf, the primary Wazuh configuration file, an attacker can modify this file to alter Wazuh's behavior. This could include disabling security rules, adding malicious agents, or even gaining remote code execution capabilities. The blast radius extends to all systems monitored by the Wazuh Manager, as a compromised manager can silently alter security policies and introduce backdoors.
CVE-2026-25770 was publicly disclosed on March 17, 2026. Its CRITICAL CVSS score indicates a high probability of exploitation. As of this writing, no public proof-of-concept (PoC) code has been released, but the vulnerability's ease of exploitation suggests it is likely to become a target. It has not yet been added to the CISA KEV catalog.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25770 is to upgrade Wazuh Manager to version 4.14.3 or later, which contains the fix. If an immediate upgrade is not possible, consider temporarily restricting access to the cluster synchronization protocol. Review Wazuh agent configurations and audit logs for any suspicious activity. Implement strict network segmentation to limit access to the Wazuh Manager. After upgrading, verify the integrity of the /var/ossec/etc/ossec.conf file by comparing its hash against a known good baseline.
Update Wazuh Manager to version 4.14.3 or higher. This corrects the privilege escalation vulnerability in the cluster synchronization protocol.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25770 is a critical vulnerability in Wazuh Manager versions 3.9.0 to 4.14.2, allowing authenticated nodes to overwrite configuration files, potentially leading to privilege escalation.
If you are running Wazuh Manager version 3.9.0 or later, and before version 4.14.3, you are potentially affected by this vulnerability.
Upgrade Wazuh Manager to version 4.14.3 or later to remediate the vulnerability. Consider temporary access restrictions as an interim measure.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest it is likely to become a target.
Refer to the official Wazuh security advisory for detailed information and updates: [https://www.wazuh.com/security-advisories/](https://www.wazuh.com/security-advisories/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.