CVE-2025-34294 in File Integrity Monitoring
Summary
by MITRE • 10/28/2025
Wazuh's File Integrity Monitoring (FIM), when configured with automatic threat removal, contains a time-of-check/time-of-use (TOCTOU) race condition that can allow a local, low-privileged attacker to cause the Wazuh service (running as NT AUTHORITY\SYSTEM) to delete attacker-controlled files or paths. The root cause is insufficient synchronization and lack of robust final-path validation in the threat-removal workflow: the agent records an active-response action and proceeds to perform deletion without guaranteeing the deletion target is the originally intended file. This can result in SYSTEM-level arbitrary file or folder deletion and consequent local privilege escalation. Wazuh made an attempted fix via pull request 8697 on 2025-07-10, but that change was incomplete.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/03/2026
The vulnerability resides within Wazuh's File Integrity Monitoring (FIM) module when configured with automatic threat removal capabilities, presenting a critical time-of-check/time-of-use (TOCTOU) race condition that enables local privilege escalation. This flaw operates at the intersection of improper access control and inadequate synchronization mechanisms, creating an exploitable window where an attacker can manipulate file system state between verification and execution phases. The vulnerability specifically affects systems running Wazuh agents with active-response enabled, where the service operates with elevated privileges under the NT AUTHORITY\SYSTEM account. When a threat is detected and automatic removal is configured, the agent performs a check to identify target files before executing deletion operations, but this process lacks proper atomicity guarantees.
The technical implementation flaw stems from insufficient synchronization mechanisms within the threat-removal workflow, where the system records an active-response action and proceeds to perform file deletion without ensuring that the target remains unchanged between the verification phase and execution phase. This race condition allows an attacker to replace or move the originally identified file with a different target before the deletion operation completes, effectively causing the system to delete unintended files while maintaining the appearance of legitimate threat removal. The root cause is further exacerbated by inadequate final-path validation that fails to confirm the absolute path identity between check and use operations, creating a path traversal scenario where file system manipulation can redirect deletion targets.
The operational impact of this vulnerability extends beyond simple file deletion capabilities to encompass full local privilege escalation, as the Wazuh service runs with SYSTEM-level privileges. An attacker exploiting this race condition can cause arbitrary file or folder deletion on the system, potentially compromising critical security files, configuration data, or user information. The consequences include complete system compromise through deletion of essential components, disruption of security monitoring capabilities, and potential data loss that could affect system integrity and availability. This vulnerability particularly impacts environments where Wazuh is used for security monitoring and threat detection, as it undermines the fundamental trust model between the security agent and the operating system.
Security mitigations should focus on implementing proper synchronization mechanisms within the threat-removal workflow, including atomic operations that prevent path changes between verification and execution phases. The fix must incorporate robust final-path validation that confirms absolute path identity before deletion operations occur, preventing attackers from exploiting the race condition through file system manipulation. Additionally, system administrators should consider disabling automatic threat removal functionality until a complete fix is implemented, or implement additional monitoring to detect unauthorized file deletion activities. This vulnerability aligns with CWE-367, Time-of-Check to Time-of-Use (TOCTOU) Race Condition, and maps to ATT&CK technique T1059.001 for execution through system commands, while also addressing T1068 for local privilege escalation through service manipulation.
The incomplete fix referenced in pull request 8697 demonstrates the complexity of addressing race conditions in security-critical systems, as simple path validation changes prove insufficient without proper atomicity guarantees. The vulnerability represents a fundamental design flaw that requires comprehensive review of all active-response operations within the Wazuh agent to ensure similar race conditions do not exist in other threat-removal workflows. Organizations should implement immediate monitoring for suspicious deletion patterns and consider alternative security approaches that avoid the inherent risks of automatic file removal in privileged contexts, while also ensuring proper patch management and system hardening practices are maintained across all security tooling implementations.