CVE-2024-1243
Remote code execution and local privilege escalation in Wazuh Windows agent via NetNTLMv2 hash theft
Severity Score
9.5
*CVSS v4
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
Improper input validation in the Wazuh agent for Windows prior to version 4.8.0 allows an attacker with control over the Wazuh server or agent key to configure the agent to connect to a malicious UNC path. This results in the leakage of the machine account NetNTLMv2 hash, which can be relayed for remote code execution or used to escalate privileges to SYSTEM via AD CS certificate forging and other similar attacks.
*Credits:
Rilke Petrosky of Pentraze Cybersecurity
CVSS Scores
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
System
Vulnerable | Subsequent
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-02-06 CVE Reserved
- 2025-06-11 CVE Published
- 2025-06-11 CVE Updated
- 2025-06-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-73: External Control of File Name or Path
CAPEC
- CAPEC-73: User-Controlled Filename
- CAPEC-644: Use of Captured Hashes (Pass The Hash)
References (3)
URL | Tag | Source |
---|---|---|
https://github.com/wazuh/wazuh/security/advisories/GHSA-3crh-39qv-fxj7 | ||
https://pentraze.com | ||
https://pentraze.com/vulnerability-reports/CVE-2024-1243 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Wazuh Search vendor "Wazuh" | Wazuh Agent Search vendor "Wazuh" for product "Wazuh Agent" | < 4.8.0 Search vendor "Wazuh" for product "Wazuh Agent" and version " < 4.8.0" | en |
Affected
|