A privilege escalation vulnerability exists in Wazuh versions 3.9.0 through 4.14.2 affecting the cluster synchronization protocol. The wazuh-clusterd service allows authenticated nodes to write arbitrary files with wazuh user permissions. Due to insecure default permissions, attackers can overwrite the main configuration file ossec.conf and inject malicious localfile commands. The wazuh-logcollector service running as root parses this configuration and executes the injected commands, leading to full Root Remote Code Execution. This vulnerability violates the principle of least privilege and bypasses intended security controls. Version 4.14.3 addresses this issue.