Wazuh Manager is vulnerable to a critical Remote Code Execution flaw that allows a compromised worker node to gain root access to the master node via insecure data deserialization.

This vulnerability is caused by the deserialization of untrusted data within the Wazuh cluster communication protocol. An attacker who has gained access to a worker node can send malicious serialized data to the master node to achieve full RCE with root privileges.

A compromise of the master node in a Wazuh cluster results in a total loss of control over the security monitoring infrastructure. With a CVSS score of 9.1, this flaw allows for lateral movement from a single compromised node to the entire security stack, potentially leading to the destruction of logs and detection rules.

Immediate Action: Upgrade all Wazuh cluster components (Master and Workers) to version 4.14.3 or later to patch the deserialization flaw.

Proactive Monitoring: Monitor network traffic between cluster nodes for unexpected payloads and audit the master node for unauthorized root-level process execution.

Compensating Controls: Isolate cluster communication to a private network and use mutual TLS (mTLS) to ensure only authorized nodes can communicate with the master.

Public Exploit Available: false

Immediate patching is required for all Wazuh installations utilizing a master/worker architecture. Ensuring that the manager is updated to version 4.14.3 is the only effective way to prevent a compromised worker from taking over the entire security environment.