Home

Description

Wazuh's File Integrity Monitoring (FIM), when configured with automatic threat removal, contains a time-of-check/time-of-use (TOCTOU) race condition that can allow a local, low-privileged attacker to cause the Wazuh service (running as NT AUTHORITY\SYSTEM) to delete attacker-controlled files or paths. The root cause is insufficient synchronization and lack of robust final-path validation in the threat-removal workflow: the agent records an active-response action and proceeds to perform deletion without guaranteeing the deletion target is the originally intended file. This can result in SYSTEM-level arbitrary file or folder deletion and consequent local privilege escalation. Wazuh made an attempted fix via pull request 8697 on 2025-07-10, but that change was incomplete.

PUBLISHED Reserved 2025-04-15 | Published 2025-10-28 | Updated 2025-10-28 | Assigner VulnCheck




HIGH: 7.1CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H

Problem types

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

Product status

Default status
unknown

Any version
affected

Credits

Eduardo Pérez Malumbres Cervera from KPMG Spain finder

References

wazuh.com/...ious-files-using-cdb-lists-and-active-response/ product

documentation.wazuh.com/...lities/active-response/index.html product

github.com/wazuh/wazuh-documentation/pull/8697 issue-tracking

www.vulncheck.com/...ponse-arbitrary-file-deletion-as-system third-party-advisory

cve.org (CVE-2025-34294)

nvd.nist.gov (CVE-2025-34294)

Download JSON