Add CVE-2025-24016: Wazuh Unsafe Deserialization RCE Detection template

[huseyinstif]

This pull request adds a new template to detect the Wazuh Unsafe Deserialization vulnerability, identified as CVE-2025-24016. The vulnerability arises from the improper deserialization of JSON data using the as_wazuh_object function in Wazuh servers. An attacker can inject a malicious object via the __unhandled_exc__ key to trigger a NameError, indicating that the payload reached the vulnerable code path and potentially allowing remote code execution.

Key Points:

• Vulnerability: Unsafe deserialization in Wazuh DistributedAPI.
• Detection Method: The template sends a specially crafted payload with a non-existent class ("NotARealClass") to trigger a NameError.
• Validation: The template has been validated locally and reliably detects vulnerable instances by confirming an HTTP 500 response with "NameError" in the response body.
• Impact: Exploitation of this vulnerability could allow an attacker to execute arbitrary code on affected servers, leading to system compromise.

This template provides a robust detection mechanism for researchers and penetration testers to identify and address the vulnerability in Wazuh deployments.

Please review the changes and let me know if further adjustments are needed.

[GeorginaReeder]

Thanks for your contribution @huseyinstif ! :)

[ritikchaddha]

Hello @huseyinstif, thank you for sharing this template with us. Could you please provide the debug data to validate this template? You can obtain the debug data by using the -debug flag after the command in the CLI.

[ritikchaddha]

@huseyinstif, This is the authenticated CVE. I have made the necessary changes in the template to ensure it works properly. Can you try the updated template to see if everything works well?

You can grab some cool PD stickers over here http://nux.gg/stickers 😄

You can join our discord server. It's a great place to connect with fellow contributors and stay updated with the latest developments. Thank you once again