Description

Wazuh's File Integrity Monitoring (FIM), when configured with automatic threat removal, contains a time-of-check/time-of-use (TOCTOU) race condition that can allow a local, low-privileged attacker to cause the Wazuh service (running as NT AUTHORITY\SYSTEM) to delete attacker-controlled files or paths. The root cause is insufficient synchronization and lack of robust final-path validation in the threat-removal workflow: the agent records an active-response action and proceeds to perform deletion without guaranteeing the deletion target is the originally intended file. This can result in SYSTEM-level arbitrary file or folder deletion and consequent local privilege escalation. Wazuh made an attempted fix via pull request 8697 on 2025-07-10, but that change was incomplete.

INFO

Published Date :

2025-10-28T15:48:15.981Z

Last Modified :

2025-10-28T18:21:22.793Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2025-34294 vulnerability.

Vendors Products
Wazuh
  • Wazuh
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-34294.

URL Resource
https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html cve-icon cve-icon
https://github.com/wazuh/wazuh-documentation/pull/8697 cve-icon cve-icon
https://wazuh.com/blog/detecting-and-responding-to-malicious-files-using-cdb-lists-and-active-response/ cve-icon cve-icon
https://www.vulncheck.com/advisories/wazuh-file-integrity-monitoring-and-active-response-arbitrary-file-deletion-as-system cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability