{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25770", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-05T18:35:52.359Z", "datePublished": "2026-03-17T18:02:07.456Z", "dateUpdated": "2026-03-18T13:05:19.277Z"}, "containers": {"cna": {"title": "Wazuh has Privilege Escalation to Root via Cluster Protocol File Write", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-732", "lang": "en", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/wazuh/wazuh/security/advisories/GHSA-r4f7-v3p6-79jm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-r4f7-v3p6-79jm"}], "affected": [{"vendor": "wazuh", "product": "wazuh", "versions": [{"version": ">= 3.9.0, < 4.14.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-17T18:02:07.456Z"}, "descriptions": [{"lang": "en", "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 3.9.0 and prior to version 4.14.3, a privilege escalation vulnerability exists in the Wazuh Manager's cluster synchronization protocol. The `wazuh-clusterd` service allows authenticated nodes to write arbitrary files to the manager\u2019s file system with the permissions of the `wazuh` system user. Due to insecure default permissions, the `wazuh` user has write access to the manager's main configuration file (`/var/ossec/etc/ossec.conf`). By leveraging the cluster protocol to overwrite `ossec.conf`, an attacker can inject a malicious `<localfile>` command block. The `wazuh-logcollector` service, which runs as root, parses this configuration and executes the injected command. This chain allows an attacker with cluster credentials to gain full Root Remote Code Execution, violating the principle of least privilege and bypassing the intended security model. Version 4.14.3 fixes the issue."}], "source": {"advisory": "GHSA-r4f7-v3p6-79jm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T03:55:51.572092Z", "id": "CVE-2026-25770", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T13:05:19.277Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Wazuh has Privilege Escalation to Root via Cluster Protocol File Write", "source": {"advisory": "GHSA-r4f7-v3p6-79jm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "wazuh", "product": "wazuh", "versions": [{"status": "affected", "version": ">= 3.9.0, < 4.14.3"}]}], "references": [{"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-r4f7-v3p6-79jm", "name": "https://github.com/wazuh/wazuh/security/advisories/GHSA-r4f7-v3p6-79jm", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 3.9.0 and prior to version 4.14.3, a privilege escalation vulnerability exists in the Wazuh Manager's cluster synchronization protocol. The `wazuh-clusterd` service allows authenticated nodes to write arbitrary files to the manager\u2019s file system with the permissions of the `wazuh` system user. Due to insecure default permissions, the `wazuh` user has write access to the manager's main configuration file (`/var/ossec/etc/ossec.conf`). By leveraging the cluster protocol to overwrite `ossec.conf`, an attacker can inject a malicious `<localfile>` command block. The `wazuh-logcollector` service, which runs as root, parses this configuration and executes the injected command. This chain allows an attacker with cluster credentials to gain full Root Remote Code Execution, violating the principle of least privilege and bypassing the intended security model. Version 4.14.3 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-732", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-17T18:02:07.456Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25770", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-18T03:55:51.572092Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-17T18:15:32.117Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-25770", "state": "PUBLISHED", "dateUpdated": "2026-03-17T18:02:07.456Z", "dateReserved": "2026-02-05T18:35:52.359Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-17T18:02:07.456Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 3.9.0 and prior to version 4.14.3, a privilege escalation vulnerability exists in the Wazuh Manager's cluster synchronization protocol. The `wazuh-clusterd` service allows authenticated nodes to write arbitrary files to the manager\u2019s file system with the permissions of the `wazuh` system user. Due to insecure default permissions, the `wazuh` user has write access to the manager's main configuration file (`/var/ossec/etc/ossec.conf`). By leveraging the cluster protocol to overwrite `ossec.conf`, an attacker can inject a malicious `<localfile>` command block. The `wazuh-logcollector` service, which runs as root, parses this configuration and executes the injected command. This chain allows an attacker with cluster credentials to gain full Root Remote Code Execution, violating the principle of least privilege and bypassing the intended security model. Version 4.14.3 fixes the issue."}, {"lang": "es", "value": "Wazuh es una plataforma de c\u00f3digo abierto y gratuita utilizada para la prevenci\u00f3n, detecci\u00f3n y respuesta ante amenazas. A partir de la versi\u00f3n 3.9.0 y antes de la versi\u00f3n 4.14.3, existe una vulnerabilidad de escalada de privilegios en el protocolo de sincronizaci\u00f3n de cl\u00faster del Wazuh Manager. El servicio 'wazuh-clusterd' permite a los nodos autenticados escribir archivos arbitrarios en el sistema de archivos del gestor con los permisos del usuario del sistema 'wazuh'. Debido a permisos predeterminados inseguros, el usuario 'wazuh' tiene acceso de escritura al archivo de configuraci\u00f3n principal del gestor ('/var/ossec/etc/ossec.conf'). Aprovechando el protocolo del cl\u00faster para sobrescribir 'ossec.conf', un atacante puede inyectar un bloque de comando malicioso ''. El servicio 'wazuh-logcollector', que se ejecuta como root, analiza esta configuraci\u00f3n y ejecuta el comando inyectado. Esta cadena permite a un atacante con credenciales de cl\u00faster obtener la ejecuci\u00f3n remota de c\u00f3digo completa como Root, violando el principio de m\u00ednimo privilegio y eludiendo el modelo de seguridad previsto. La versi\u00f3n 4.14.3 corrige el problema."}], "id": "CVE-2026-25770", "lastModified": "2026-03-18T14:52:44.227", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-17T18:16:15.437", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-r4f7-v3p6-79jm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-269"}, {"lang": "en", "value": "CWE-732"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.9.0,4.14.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "wazuh", "source": "cna", "vendor": "wazuh"}, "product": "wazuh", "vendor": "wazuh"}], "created": "2026-03-18T12:13:02.484478+00:00", "updated": "2026-03-18T12:13:02.484560+00:00", "vendors": ["wazuh", "wazuh$PRODUCT$wazuh"]}