CVE-2024-1243 in Wazuh
Summary
by MITRE • 06/11/2025
Improper input validation in the Wazuh agent for Windows prior to version 4.8.0 allows an attacker with control over the Wazuh server or agent key to configure the agent to connect to a malicious UNC path. This results in the leakage of the machine account NetNTLMv2 hash, which can be relayed for remote code execution or used to escalate privileges to SYSTEM via AD CS certificate forging and other similar attacks.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/01/2025
The vulnerability identified as CVE-2024-1243 represents a critical input validation flaw within the Wazuh agent implementation for Windows systems. This weakness exists in versions prior to 4.8.0 and stems from inadequate sanitization of user-supplied input during agent configuration processes. The vulnerability specifically affects the handling of UNC (Universal Naming Convention) paths that are used for agent communication and file sharing within Windows environments. Attackers who have already compromised access to either the Wazuh server or possess valid agent keys can exploit this flaw to manipulate agent connections to malicious network paths. The technical nature of this vulnerability aligns with CWE-20, which describes improper input validation, and represents a significant security risk in enterprise environments where Wazuh agents are deployed for security monitoring and log analysis.
The operational impact of this vulnerability extends beyond simple data leakage and creates a pathway for sophisticated attack vectors that can compromise entire network infrastructures. When an attacker configures a Wazuh agent to connect to a malicious UNC path, the system automatically authenticates using the machine account credentials, resulting in the exposure of the machine account NetNTLMv2 hash. This hash contains sufficient cryptographic information to enable credential relay attacks, where attackers can leverage the captured credentials to impersonate the compromised system across the network. The vulnerability creates a direct attack surface that aligns with ATT&CK technique T1550.001, which covers credential access through valid accounts, and T1550.002, which addresses the use of legitimate credentials for lateral movement. The exposure of machine account credentials provides attackers with persistent access to network resources and enables them to escalate privileges within Active Directory environments.
The security implications of this vulnerability become particularly severe when considering the potential for privilege escalation to SYSTEM level access through AD CS certificate forging attacks. Once an attacker has obtained the machine account hash, they can leverage it in conjunction with Active Directory Certificate Services to request and forge certificates that grant them elevated privileges within the domain. This attack vector represents a sophisticated technique that aligns with ATT&CK technique T1649, which covers authentication process manipulation. The vulnerability essentially creates a bridge between the initial compromise of a Wazuh agent and the ability to achieve domain-level persistence and privilege escalation. Organizations that rely on Wazuh for security monitoring and log collection are particularly at risk, as the compromised agent can serve as a foothold for broader network infiltration. The attack chain typically begins with the initial compromise of either the server or agent key, followed by the manipulation of agent configuration to point to malicious UNC paths, and concludes with credential relay or certificate forgery attacks that can result in complete domain compromise.
Organizations should immediately implement mitigations that include updating Wazuh agents to version 4.8.0 or later, which contains the necessary input validation fixes for this vulnerability. Network segmentation and monitoring of UNC path access should be implemented to detect and prevent unauthorized access to these attack vectors. Additionally, organizations should review their Wazuh server and agent key management practices to ensure that access controls are properly enforced and that only authorized personnel have the ability to configure agent connections. The implementation of network access controls and monitoring of authentication events can help detect attempts to exploit this vulnerability. Security teams should also consider implementing certificate trust policies and monitoring for unusual certificate requests that could indicate attempts to forge certificates through AD CS. The vulnerability demonstrates the importance of proper input validation in security-critical applications and highlights the need for comprehensive security testing of agent-based monitoring systems to prevent similar flaws from being exploited in the future.