Wazuh Manager contains a critical privilege escalation vulnerability that allows authenticated cluster nodes to gain full root-level Remote Code Execution on the manager node.

The wazuh-clusterd service allows authenticated nodes to write arbitrary files. Due to insecure permissions, an attacker can overwrite /var/ossec/etc/ossec.conf to inject a malicious <localfile> command, which is then executed as root by the wazuh-logcollector service.

This vulnerability completely breaks the security model of the Wazuh cluster, allowing a compromised worker node to take full control of the master manager. With a CVSS score of 9.1, the impact includes total loss of confidentiality, integrity, and availability across the entire threat detection platform.

Immediate Action: Upgrade Wazuh Manager to version 4.14.3 or later immediately to resolve the insecure file writing and permission issues.

Proactive Monitoring: Inspect the ossec.conf file for unauthorized <localfile> blocks and monitor cluster synchronization logs for unusual file transfer activity.

Compensating Controls: Restrict cluster communication to known, trusted IP addresses and implement strict file integrity monitoring (FIM) on the /var/ossec/etc/ directory.

Public Exploit Available: false

Immediate upgrading to version 4.14.3 is mandatory for all Wazuh deployments using cluster mode. This vulnerability allows for lateral movement and full system takeover, which could be used to blind security monitoring or launch further attacks.