Wazuh has released 4.9.1, which fixes the CVE-2025-24016 vulnerability (insecure deserialization in the Wazuh Server) that was later exploited by Mirai variants against exposed servers. Effective mitigation is to upgrade to 4.9.1 or later on manager, indexer and dashboard, then upgrade agents to maintain compatibility.
Executive summary
- CVE-2025-24016 allows RCE on
wazuh-manager (v ≥ 4.4.0 and < 4.9.1). Fixed in 4.9.1. - There was active exploitation by Mirai botnets in 2025 against servers with exposed API.
- Wazuh stated that the bug requires API credentials; with panel or API exposed and weak keys, the risk is critical.
Sources: CVE/NVD, Release notes 4.9.1, Akamai/Censys advisories and official upgrade guide.