Wazuh
Company Details
Linkedin ID:
wazuh
Website:
Employees number:
259
Number of followers:
71,485
NAICS:
541514
Industry Type:
Homepage:
wazuh.com
IP Addresses:
0
Company ID:
WAZ_2382209
Scan Status:
In-progress
Wazuh Company CyberSecurity Posture
wazuh.com
Wazuh is a free and open-source security platform that unifies XDR and SIEM capabilities. It protects workloads across on-premises, virtualized, containerized, and cloud-based environments. Wazuh, with over 10 million downloads per year, has one of the largest open-source security communities in the world. Wazuh helps organizations of all sizes protect their data assets against security threats. Learn more about the project at wazuh.com
Wazuh A.I CyberSecurity Scoring
Wazuh Risk Score (AI oriented)Between 750 and 799
Wazuh
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Wazuh Global Score (TPRM)XXXX
Wazuh
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Wazuh Company CyberSecurity News & History
Past Incidents
1
Attack Types
1
Wazuh: Unpatched Wazuh servers targeted by Mirai botnets (CVE-2025-24016)
Vulnerability
Rankiteo Explanation
Attack without any consequences
Description: Mirai Botnets Exploit Critical Wazuh XDR/SIEM Vulnerability (CVE-2025-24016) Akamai researchers have identified two Mirai botnets actively exploiting a critical remote code execution (RCE) vulnerability (CVE-2025-24016) in Wazuh, a widely used open-source XDR/SIEM platform. The flaw, an unsafe deserialization issue, affects Wazuh Manager versions 4.4.0 through 4.9.0 and can be triggered by attackers with API access either through a compromised dashboard, server cluster, or, in some configurations, a compromised agent. Exploitation requires valid Wazuh API credentials, which attackers may obtain through prior breaches or credential theft. The vulnerability was patched in Wazuh 4.9.1 (October 2024), but public disclosure in February 2025 led to active attacks beginning in March 2025. The botnets leverage a public proof-of-concept (PoC) exploit released on February 21, delivering malicious shell scripts that download Mirai malware variants targeting multiple architectures, including those common in IoT devices. In May 2025, Akamai observed a third Mirai botnet attempting similar attacks, though targeting a non-standard Wazuh endpoint likely another attempt to exploit the same flaw. Beyond Wazuh, these botnets also scan for legacy vulnerabilities in Hadoop YARN, TP-Link, ZTE, Huawei, and ZyXEL routers, as well as the RealTek SDK, demonstrating their adaptability in expanding their infrastructure. The attacks highlight how botnet operators rapidly weaponize public PoC exploits to grow their networks, often before organizations apply patches. This trend mirrors recent incidents, such as the exploitation of a Roundcube RCE flaw, where attackers reverse-engineered patches to exploit vulnerabilities before widespread remediation.
Wazuh Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Wazuh
Incidents vs Computer and Network Security Industry Average (This Year)
No incidents recorded for Wazuh in 2026.
Incidents vs All-Companies Average (This Year)
No incidents recorded for Wazuh in 2026.
Incident Types Wazuh vs Computer and Network Security Industry Avg (This Year)
No incidents recorded for Wazuh in 2026.
Incident History — Wazuh (X = Date, Y = Severity)
Wazuh cyber incidents detection timeline including parent company and subsidiaries
Wazuh Company Subsidiaries
Wazuh is a free and open-source security platform that unifies XDR and SIEM capabilities. It protects workloads across on-premises, virtualized, containerized, and cloud-based environments. Wazuh, with over 10 million downloads per year, has one of the largest open-source security communities in the world. Wazuh helps organizations of all sizes protect their data assets against security threats. Learn more about the project at wazuh.com
Loading...
Wazuh Similar Companies
Palo Alto Networks
Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate. Our mission is to be the cybersecurity partner of choice, protecting our digital way of life. We help address the world's greatest s
NETWORK-SECURITY-SOLUTIONS
## Our core business We manage linux / unix server infrastructures and build the efficient and secure networking environments using hardware cutting edge technologies suited to the needs of the project and the client. We believe in quality, opposed to quantity. Our company consists of highly
CrowdStrike
CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security with the world’s most advanced cloud-native platform for protecting critical areas of enterprise risk — endpoints and cloud workloads, identity and data. Powered by the CrowdStrike Security Cloud and world-clas
.png)
Wazuh CyberSecurity News
January 09, 2026 08:00 AM
8 Best Open Source SIEM Tools – 2026
Open Source SIEM Tools. OSSIM. OSSEC. Wazuh. Apache Metron. SIEMonster. Prelude SIEM. Security Onion. Suricata.
January 08, 2026 08:00 AM
10 Best Open-Source Blue Team Tools - 2026
Blue Team Tools: 1. Wazuh – SIEM & XDR 2. Wireshark 3. ClamAV 4. Snort 5. Nikto 6. OpenVAS 7. Yara 8. Sigma | SIEM Signatures 9. Nmap.
January 06, 2026 08:00 AM
Best SIEM Tools List For SOC Team – 2026
Best SIEM Tools :1. Splunk 2. QRadar 3. Arcsight 4. Sentinel 5. Chronicle 6. OSSIM 7. OSSEC 8. Wazuh 9. Apache Mertron 10. SIEMonster.
December 09, 2025 08:00 AM
Maintaining enterprise IT hygiene using Wazuh SIEM/XDR
Poor IT hygiene, such as unused accounts, outdated software, and risky extensions, creates hidden exposure in your infrastructure. Wazuh...
November 04, 2025 08:00 AM
Ransomware Defense Using the Wazuh Open Source Platform
Wazuh enhances ransomware defense with real-time detection, automated response, and Windows file recovery.
October 06, 2025 07:00 AM
The role of Artificial Intelligence in today’s cybersecurity landscape
AI is transforming cybersecurity—from detecting phishing and insider threats to accelerating response. See how Waziuh, the open-source XDR...
September 22, 2025 07:00 AM
Lumu Integrates Maltiverse Threat Intelligence with Wazuh for Stronger Cyber Defense
The partnership provides Wazuh users with a comprehensive picture of their security posture, empowering security teams to act faster,...
July 17, 2025 07:00 AM
Tired of gaps in your security? These open-source tools can help
Threat detection needs scalable open-source tools that unify data from multiple sources to simplify analysis and improve response.
July 03, 2025 07:00 AM
Wazuh issues new rules to detect fast-moving Mamona ransomware
Wazuh has issued new detection rules to address Mamona, a ransomware variant targeting Windows users that deletes itself soon after encrypting files and...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Wazuh CyberSecurity History Information
Official Website of Wazuh
The official website of Wazuh is https://www.wazuh.com.
Wazuh’s AI-Generated Cybersecurity Score
According to Rankiteo, Wazuh’s AI-generated cybersecurity score is 754, reflecting their Fair security posture.
How many security badges does Wazuh’ have ?
According to Rankiteo, Wazuh currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Has Wazuh been affected by any supply chain cyber incidents ?
According to Rankiteo, Wazuh has not been affected by any supply chain cyber incidents, and no incident IDs are currently listed for the organization.
Does Wazuh have SOC 2 Type 1 certification ?
According to Rankiteo, Wazuh is not certified under SOC 2 Type 1.
Does Wazuh have SOC 2 Type 2 certification ?
According to Rankiteo, Wazuh does not hold a SOC 2 Type 2 certification.
Does Wazuh comply with GDPR ?
According to Rankiteo, Wazuh is not listed as GDPR compliant.
Does Wazuh have PCI DSS certification ?
According to Rankiteo, Wazuh does not currently maintain PCI DSS compliance.
Does Wazuh comply with HIPAA ?
According to Rankiteo, Wazuh is not compliant with HIPAA regulations.
Does Wazuh have ISO 27001 certification ?
According to Rankiteo,Wazuh is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Wazuh
Wazuh operates primarily in the Computer and Network Security industry.
Number of Employees at Wazuh
Wazuh employs approximately 259 people worldwide.
Subsidiaries Owned by Wazuh
Wazuh presently has no subsidiaries across any sectors.
Wazuh’s LinkedIn Followers
Wazuh’s official LinkedIn profile has approximately 71,485 followers.
NAICS Classification of Wazuh
Wazuh is classified under the NAICS code 541514, which corresponds to Others.
Wazuh’s Presence on Crunchbase
No, Wazuh does not have a profile on Crunchbase.
Wazuh’s Presence on LinkedIn
Yes, Wazuh maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/wazuh.
Cybersecurity Incidents Involving Wazuh
As of January 24, 2026, Rankiteo reports that Wazuh has experienced 1 cybersecurity incidents.
Number of Peer and Competitor Companies
Wazuh has an estimated 3,300 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Wazuh ?
Incident Types: The types of cybersecurity incidents that have occurred include Vulnerability.
How does Wazuh detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an third party assistance with akamai researchers, and remediation measures with upgrade to wazuh version 4.9.1 or later..
Incident Details
Can you provide details on each incident ?
Title: Mirai Botnets Exploiting CVE-2025-24016 in Wazuh XDR/SIEM Platform
Description: Two Mirai botnets are exploiting a critical remote code execution vulnerability (CVE-2025-24016) in the open-source Wazuh XDR/SIEM platform. The vulnerability is an unsafe deserialization flaw in Wazuh Manager versions 4.4.0 through 4.9.0, which can be triggered by attackers with API access or compromised agents. The flaw was patched in version 4.9.1 (October 2024) and publicly disclosed in February 2025. Active exploitation began in March 2025, with botnets using a public PoC exploit to deliver Mirai malware variants targeting IoT devices.
Date Detected: 2025-03-01
Date Publicly Disclosed: 2025-02-01
Type: Botnet Exploitation
Attack Vector: Remote Code Execution (RCE)
Vulnerability Exploited: CVE-2025-24016 (Unsafe Deserialization)
Threat Actor: Mirai Botnet Operators
Motivation: Botnet Expansion
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Vulnerability.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Wazuh API access or compromised agents.
Impact of the Incidents
What was the impact of each incident ?
Incident : Botnet Exploitation WAZ1766629994
Systems Affected: Wazuh Manager (versions 4.4.0 - 4.9.0), IoT devices
Operational Impact: Potential compromise of security monitoring and incident response capabilities
Brand Reputation Impact: Potential reputational damage for Wazuh and affected organizations
Which entities were affected by each incident ?
Incident : Botnet Exploitation WAZ1766629994
Entity Name: Wazuh
Entity Type: Open-Source Security Platform
Industry: Cybersecurity
Customers Affected: Organizations using Wazuh Manager versions 4.4.0 - 4.9.0
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Botnet Exploitation WAZ1766629994
Third Party Assistance: Akamai Researchers
Remediation Measures: Upgrade to Wazuh version 4.9.1 or later
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Akamai Researchers.
Data Breach Information
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Upgrade to Wazuh version 4.9.1 or later.
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Botnet Exploitation WAZ1766629994
Lessons Learned: Botnet operators rapidly adapt public PoC exploit code to grow or create new botnets. Organizations must prioritize patching critical vulnerabilities promptly to prevent exploitation.
What recommendations were made to prevent future incidents ?
Incident : Botnet Exploitation WAZ1766629994
Recommendations: Upgrade Wazuh Manager to version 4.9.1 or later immediately, Monitor for unusual API access or compromised agents, Implement network segmentation to limit lateral movement, Enhance monitoring for IoT device compromises, Stay informed about vulnerability disclosures and apply patches promptlyUpgrade Wazuh Manager to version 4.9.1 or later immediately, Monitor for unusual API access or compromised agents, Implement network segmentation to limit lateral movement, Enhance monitoring for IoT device compromises, Stay informed about vulnerability disclosures and apply patches promptlyUpgrade Wazuh Manager to version 4.9.1 or later immediately, Monitor for unusual API access or compromised agents, Implement network segmentation to limit lateral movement, Enhance monitoring for IoT device compromises, Stay informed about vulnerability disclosures and apply patches promptlyUpgrade Wazuh Manager to version 4.9.1 or later immediately, Monitor for unusual API access or compromised agents, Implement network segmentation to limit lateral movement, Enhance monitoring for IoT device compromises, Stay informed about vulnerability disclosures and apply patches promptlyUpgrade Wazuh Manager to version 4.9.1 or later immediately, Monitor for unusual API access or compromised agents, Implement network segmentation to limit lateral movement, Enhance monitoring for IoT device compromises, Stay informed about vulnerability disclosures and apply patches promptly
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Botnet operators rapidly adapt public PoC exploit code to grow or create new botnets. Organizations must prioritize patching critical vulnerabilities promptly to prevent exploitation.
References
Where can I find more information about each incident ?
Incident : Botnet Exploitation WAZ1766629994
Source: Wazuh Security Advisory
Date Accessed: 2025-02-01
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Akamai ResearchDate Accessed: 2025-05-01, and Source: Wazuh Security AdvisoryDate Accessed: 2025-02-01.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Botnet Exploitation WAZ1766629994
Investigation Status: Ongoing
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Botnet Exploitation WAZ1766629994
Entry Point: Wazuh API access or compromised agents
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Botnet Exploitation WAZ1766629994
Root Causes: Unsafe deserialization vulnerability in Wazuh Manager (CVE-2025-24016), delayed patching by organizations, and rapid exploitation by botnet operators using public PoC code
Corrective Actions: Patch management improvements, enhanced API security, and proactive monitoring for exploitation attempts
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Akamai Researchers.
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Patch management improvements, enhanced API security, and proactive monitoring for exploitation attempts.
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident was an Mirai Botnet Operators.
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2025-03-01.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-02-01.
Impact of the Incidents
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was Akamai Researchers.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Botnet operators rapidly adapt public PoC exploit code to grow or create new botnets. Organizations must prioritize patching critical vulnerabilities promptly to prevent exploitation.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Upgrade Wazuh Manager to version 4.9.1 or later immediately, Stay informed about vulnerability disclosures and apply patches promptly, Enhance monitoring for IoT device compromises, Implement network segmentation to limit lateral movement and Monitor for unusual API access or compromised agents.
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Akamai Research and Wazuh Security Advisory.
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker was an Wazuh API access or compromised agents.
.png)
Latest Global CVEs (Not Company-Specific)
Description
Typemill is a flat-file, Markdown-based CMS designed for informational documentation websites. A reflected Cross-Site Scripting (XSS) exists in the login error view template `login.twig` of versions 2.19.1 and below. The `username` value can be echoed back without proper contextual encoding when authentication fails. An attacker can execute script in the login page context. This issue has been fixed in version 2.19.2.
Risk Information
cvss3
Base: 5.4
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Description
A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the DomainCheckerApp class within domain/script.js of Sourcecodester Domain Availability Checker v1.0. The vulnerability occurs because the application improperly handles user-supplied data in the createResultElement method by using the unsafe innerHTML property to render domain search results.
Description
A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Modern Image Gallery App v1.0 within the gallery/upload.php component. The application fails to properly validate uploaded file contents. Additionally, the application preserves the user-supplied file extension during the save process. This allows an unauthenticated attacker to upload arbitrary PHP code by spoofing the MIME type as an image, leading to full system compromise.
Description
A UNIX symbolic link following issue in the jailer component in Firecracker version v1.13.1 and earlier and 1.14.0 on Linux may allow a local host user with write access to the pre-created jailer directories to overwrite arbitrary host files via a symlink attack during the initialization copy at jailer startup, if the jailer is executed with root privileges. To mitigate this issue, users should upgrade to version v1.13.2 or 1.14.1 or above.
Risk Information
cvss3
Base: 6.0
Severity: LOW
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
cvss4
Base: 6.0
Severity: LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
Description
An information disclosure vulnerability exists in the /srvs/membersrv/getCashiers endpoint of the Aptsys gemscms backend platform thru 2025-05-28. This unauthenticated endpoint returns a list of cashier accounts, including names, email addresses, usernames, and passwords hashed using MD5. As MD5 is a broken cryptographic function, the hashes can be easily reversed using public tools, exposing user credentials in plaintext. This allows remote attackers to perform unauthorized logins and potentially gain access to sensitive POS operations or backend functions.
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=wazuh' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
