Login Sign Up

CVE-2025-30201

7.7 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Wazuh Agent allows authenticated attackers to force NTLM authentication through malicious UNC paths in agent configuration settings. This could lead to NTLM relay attacks resulting in privilege escalation and remote code execution. Organizations using Wazuh Agent versions before 4.13.0 are affected.

💻 Affected Systems

Products:
  • Wazuh Agent
Versions: All versions prior to 4.13.0
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to modify agent configuration settings.

📦 What is this software?

Wazuh by Wazuh

View all CVEs affecting Wazuh →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through NTLM relay leading to domain admin privileges and complete network takeover.

🟠

Likely Case

Local privilege escalation on affected systems leading to lateral movement within the network.

🟢

If Mitigated

Limited impact with proper network segmentation and NTLM relay protections in place.

🌐 Internet-Facing: LOW - Requires authenticated access to agent configuration.
🏢 Internal Only: HIGH - Internal attackers with agent access can exploit this for lateral movement.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated access to agent configuration and knowledge of NTLM relay techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.13.0

Vendor Advisory: https://github.com/wazuh/wazuh/security/advisories/GHSA-x697-jf34-gp5x

Restart Required: Yes

Instructions:

1. Upgrade Wazuh Agent to version 4.13.0 or later. 2. Restart the agent service. 3. Verify the agent reconnects to the Wazuh manager.

🔧 Temporary Workarounds

Restrict Agent Configuration Access

all

Limit who can modify Wazuh Agent configuration files and settings.

chmod 600 /var/ossec/etc/ossec.conf
Set appropriate Windows file permissions

Disable NTLM Authentication

windows

Configure systems to use Kerberos instead of NTLM where possible.

Group Policy: Network security: Restrict NTLM: Incoming NTLM traffic = Deny all

🧯 If You Can't Patch

  • Implement strict access controls on Wazuh Agent configuration files
  • Enable SMB signing and LDAP signing to prevent NTLM relay attacks

🔍 How to Verify

Check if Vulnerable:

Check Wazuh Agent version: On Linux: /var/ossec/bin/wazuh-agentd -V, On Windows: Check installed programs or service properties

Check Version:

Linux: /var/ossec/bin/wazuh-agentd -V | grep 'Wazuh v', Windows: wmic product where name='Wazuh Agent' get version

Verify Fix Applied:

Confirm version is 4.13.0 or higher and agent is functioning normally

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized modifications to ossec.conf
  • Unexpected UNC path references in agent logs
  • Failed authentication attempts from unexpected sources

Network Indicators:

  • Unexpected SMB traffic to/from Wazuh agents
  • NTLM authentication attempts to unusual destinations

SIEM Query:

source="wazuh" AND (event_id=550 OR event_id=553) AND (UNC OR \\\\ in message)

📊 Metadata

CVE ID: CVE-2025-30201
CVSS v3 Score: 7.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
CWE: CWE-73
EPSS Score: 0.29% exploit probability (51.6th percentile)
Published: November 21, 2025
Last Updated: December 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30201, you might also want to check these:

CVE-2026-27211 10.0

Cloud Hypervisor versions 34.0 through 50.0 are vulnerable to host file exfiltration when using virt...

Same vulnerability type (CWE-73)
CVE-2024-55371 9.8

Wallos versions up to 2.38.2 contain a file upload vulnerability in the restore backup function that...

Same vulnerability type (CWE-73)
CVE-2025-29708 9.8

SourceCodester Company Website CMS 1.0 contains an unauthenticated file upload vulnerability in the ...

Same vulnerability type (CWE-73)