Critical Wazuh Manager Vulnerability Allows Remote Data Tampering and Evidence Deletion A severe security flaw in Wazuh Manager (CVE pending, CVSS 10.0) has been disclosed, enabling remote attackers to manipulate security alerts, delete forensic evidence, and tamper with SIEM data. The vulnerability affects Wazuh Manager 5.0.0-beta1 and stems from an NDJSON injection flaw in the `inventory_sync` subsystem, where untrusted input in the `DataValue.index` field is improperly sanitized. The flaw allows malicious or compromised agents to inject arbitrary OpenSearch bulk operations by embedding crafted JSON fragments and newline characters into the `_index` field. While other fields (e.g., `_id`) are properly escaped, the `_index` field is appended without validation, enabling attackers to smuggle unauthorized actions such as delete, index, or update operations into requests. Exploiting this vulnerability requires no authentication due to insecure default configurations in `wazuh-authd`, which permits anonymous agent enrollment. Once enrolled, attackers can: - Delete arbitrary documents from Wazuh indices, erasing logs and alerts. - Modify vulnerability and inventory data for other agents. - Inject malicious content into Kibana dashboards for persistence or misdirection. - Manipulate cross-tenant data in shared environments. Researchers demonstrated a proof-of-concept (PoC) exploit over standard Wazuh communication channels (TCP ports 1514/1515), confirming that injected operations execute under the high-privileged OpenSearch credentials stored in Wazuh’s keystore. The flaw is classified under CWE-74 (Injection), CWE-93 (CRLF Injection), and CWE-863 (Incorrect Authorization), with the root cause tied to lack of input validation and improper neutralization of special characters. The issue has been patched in Wazuh 5.0.0-beta3 (GitHub advisory GHSA-ff9g-85jq-r3g3). Organizations using affected versions are advised to upgrade immediately and review logs for unauthorized index modifications. The vulnerability poses a critical risk to threat detection and response integrity, as attackers can silently alter security data to evade detection.

Mirai Botnets Exploit Critical Wazuh XDR/SIEM Vulnerability (CVE-2025-24016) Akamai researchers have identified two Mirai botnets actively exploiting a critical remote code execution (RCE) vulnerability (CVE-2025-24016) in Wazuh, a widely used open-source XDR/SIEM platform. The flaw, an unsafe deserialization issue, affects Wazuh Manager versions 4.4.0 through 4.9.0 and can be triggered by attackers with API access—either through a compromised dashboard, server cluster, or, in some configurations, a compromised agent. Exploitation requires valid Wazuh API credentials, which attackers may obtain through prior breaches or credential theft. The vulnerability was patched in Wazuh 4.9.1 (October 2024), but public disclosure in February 2025 led to active attacks beginning in March 2025. The botnets leverage a public proof-of-concept (PoC) exploit released on February 21, delivering malicious shell scripts that download Mirai malware variants targeting multiple architectures, including those common in IoT devices. In May 2025, Akamai observed a third Mirai botnet attempting similar attacks, though targeting a non-standard Wazuh endpoint—likely another attempt to exploit the same flaw. Beyond Wazuh, these botnets also scan for legacy vulnerabilities in Hadoop YARN, TP-Link, ZTE, Huawei, and ZyXEL routers, as well as the RealTek SDK, demonstrating their adaptability in expanding their infrastructure. The attacks highlight how botnet operators rapidly weaponize public PoC exploits to grow their networks, often before organizations apply patches. This trend mirrors recent incidents, such as the exploitation of a Roundcube RCE flaw, where attackers reverse-engineered patches to exploit vulnerabilities before widespread remediation.