Remote code execution and Local privilege escalation due to NetNTLMv2 hash theft in Wazuh < 4.8.0

Feb 7, 2024

CVE Number



Rilke Petrosky of Pentraze Cybersecurity


We’ve identified a critical security vulnerability affecting the Wazuh windows agent, which can be abused to achieve remote code execution (RCE) and Local Privilege Escalation under the scope of the NT AUTHORITY\System user by forcing a configuration to monitor an attacker-controlled remote UNC path.

We’ve tested the vulnerability against Wazuh version 4.7.2, however, the main branch and alpha tags on the repository suggest the vulnerability is still present in the latest version.


8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H


The Wazuh agent <localfile> configuration option doesn’t restrict the use of UNC paths (such as SMB, Name pipes, and others). An adversary with control over a Wazuh server, or in possession of an agent’s private key can force <localfile> configurations on deployed agents, forcing them to connect to a UNC path of an NTLM relay SMB server or impersonation named pipe, resulting in the compromise of the NetNTLMv2 hash for the computer’s domain account, or impersonation of the local NT AUTHORITY\System account using named pipes.

This impact all wazuh agent for Windows versions up to 4.8.0. The severity is reduced due to additional complexity required to exploit: The attacker must control the Wazuh Server, or must obtain an asset’s private key or MITM network attacks


In this proof-of-concept scenario, an adversary achieves remote code execution under the scope and privileges of NT AUTHORITY\System by forcing the wazuh agent to read an UNC path, leaking a domain controller’s NetNTLMv2 machine account’s hash and forging a valid certificate with Active Directory Certificate Services to authenticate and execute code to any computer in the network.

  1. A wazuh agents group is set with a custom agent.conf containing a local file location pointing to the UNC of the attacker’s SMB server.
  1. The DC01 computer agent is added to the group with the attack configuration.

  2. The attacker waits for the agent to connect to the SMB server and intercepts the NetNTLMv2 authentication hash.

  1. Once the hash is compromised, a certificate is forged on behalf of the domain controller. Multiple other attacks such as NTLM relay, DCSync, Kerberos relay local privilege escalation, and others.


Penetration Testing

Proactive assessment using tactics, techniques, and procedures of actual attackers to identify security flaws, incorrect configurations, and vulnerabilities.

Learn more

Application Security Testing

Comprehensive application protection, ensuring robust security throughout the entire software development lifecycle.

Learn more

Red Team Exercises

Simulate and emulate advanced cyber attacks to pinpoint vulnerabilities and test your organization's defense mechanisms, ensuring robust resilience against real-world threats.

Learn more

Vulnerability Management

Proactive process to identify, prioritize, and address security vulnerabilities in systems and software, enhancing an organization's defense against evolving cyber threats.

Learn more