CVE-2026-25769 is a critical deserialization RCE (CVSS 9.0) in Wazuh’s cluster communication protocol, exploitable by an attacker who already controls a worker node to achieve code execution on the Wazuh manager — the central node governing all security monitoring and alerting across the deployment. A public proof-of-concept from Hakai Security is available on GitHub, materially lowering the exploitation barrier despite a currently low EPSS score (47th percentile). Specific affected version ranges are not confirmed from primary sources; operators should restrict cluster protocol access (TCP 1516) to trusted worker node IPs immediately, monitor Wazuh manager logs for anomalous process spawning from wazuh-clusterd, and verify patch availability directly via the official Wazuh advisory and NVD before upgrading.