CVE-2024-35177: 
Wazuh Agent vulnerability analysis and mitigation

Wazuh, a free and open source platform for threat prevention, detection, and response, has reported a Local Privilege Escalation vulnerability (CVE-2024-35177) in its Windows agent. The vulnerability affects versions from 3.0.0 onwards and was discovered in February 2025. The issue stems from improper Access Control List (ACL) implementation in non-default installation directories of the wazuh-agent for Windows (GitHub Advisory).

The vulnerability arises from an improper ACL applied to the installation folder when a non-default installation path is specified (e.g., C:\wazuh). The issue allows for two attack vectors: either placing malicious DLLs that export functions of legitimate ones (such as rsync.dll) in the installation folder, or directly replacing the service executable binary. When exploited, this enables privilege escalation to NT AUTHORITY\SYSTEM context. The vulnerability has been assigned a CVSS v3.1 score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (GitHub Advisory).

The successful exploitation of this vulnerability allows a local malicious user to escalate privileges to NT AUTHORITY\SYSTEM context, which is the highest level of system privileges in Windows. This enables an attacker to gain complete control over the affected system, potentially compromising the confidentiality, integrity, and availability of the system (GitHub Advisory).

The vulnerability has been addressed in version 4.9.0 of the Wazuh agent. All users are advised to upgrade to this version or newer. There are no known workarounds for this vulnerability (NVD).