CVE-2025-54866 – This vulnerability exposes the Wazuh agent auth... (How to Fix)

Q: What is the severity of CVE-2025-54866?

CVE-2025-54866 has a CVSS score of 5.5 (MEDIUM). This vulnerability exposes the Wazuh agent authentication password file to all authenticated users on Windows systems, allowing local attackers to read the password. It affects Wazuh installations on Windows from version 4.3.0 to 4.12.x. The password could be used to compromise the Wazuh agent or potentially escalate privileges.

📋 TL;DR

This vulnerability exposes the Wazuh agent authentication password file to all authenticated users on Windows systems, allowing local attackers to read the password. It affects Wazuh installations on Windows from version 4.3.0 to 4.12.x. The password could be used to compromise the Wazuh agent or potentially escalate privileges.

💻 Affected Systems

Products:

Wazuh Agent

Versions: 4.3.0 to 4.12.x

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows installations. Linux and other platforms are not affected. The vulnerability exists in default installations.

📦 What is this software?

Wazuh by Wazuh

View all CVEs affecting Wazuh →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated local attacker reads the authd.pass file, obtains the agent password, and uses it to compromise the Wazuh agent, potentially gaining administrative access to the system or pivoting to other systems in the Wazuh infrastructure.

🟠

Likely Case

Local authenticated users (including non-administrative accounts) can read the agent password, potentially allowing them to tamper with agent configuration or disrupt monitoring capabilities.

🟢

If Mitigated

With proper access controls and monitoring, the exposure is limited to authorized users who already have some level of system access, reducing the attack surface.

🌐 Internet-Facing: LOW - This is a local file permission issue requiring authenticated access to the Windows system.

🏢 Internal Only: MEDIUM - Any authenticated user on affected Windows systems can potentially read the password file, posing an internal threat.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local authenticated access to the Windows system. The attack is simple - just reading a file with incorrect permissions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.13.0

Vendor Advisory: https://github.com/wazuh/wazuh/security/advisories/GHSA-mvfx-ph7m-qm37

Restart Required: Yes

Instructions:

1. Download Wazuh agent version 4.13.0 or later from the official repository. 2. Stop the Wazuh agent service. 3. Install the new version. 4. Restart the Wazuh agent service.

🔧 Temporary Workarounds

Restrict file permissions manually

windows

Manually set proper ACLs on the authd.pass file to restrict access to SYSTEM and Administrators only.

icacls "C:\Program Files (x86)\ossec-agent\authd.pass" /inheritance:r
icacls "C:\Program Files (x86)\ossec-agent\authd.pass" /grant SYSTEM:F
icacls "C:\Program Files (x86)\ossec-agent\authd.pass" /grant Administrators:F

🧯 If You Can't Patch

Manually apply the file permission workaround using icacls commands
Monitor access to the authd.pass file using Windows audit logging and alert on any non-SYSTEM/Administrator access

🔍 How to Verify

Check if Vulnerable:

Check the permissions on C:\Program Files (x86)\ossec-agent\authd.pass using 'icacls "C:\Program Files (x86)\ossec-agent\authd.pass"' and verify if 'Authenticated Users' have any permissions.

Check Version:

wazuh-agentd -v

Verify Fix Applied:

After patching to 4.13.0+, verify the file permissions only show SYSTEM and Administrators with full control, and no 'Authenticated Users' entries.

📡 Detection & Monitoring

Log Indicators:

Windows Security event logs showing access to authd.pass by non-SYSTEM/Administrator accounts
Failed authentication attempts to Wazuh manager using potentially compromised credentials

Network Indicators:

Unusual agent communication patterns or configuration changes

SIEM Query:

EventID=4663 AND ObjectName LIKE '%authd.pass%' AND SubjectUserName NOT IN ('SYSTEM', 'Administrator')

📊 Metadata

CVE ID: CVE-2025-54866

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-276

EPSS Score: 0.02% exploit probability (3.8th percentile)

Published: November 21, 2025

Last Updated: December 2, 2025

🔗 References

https://github.com/wazuh/wazuh/commit/606f19e688944ebe5d28d72eb81ac36f8fffb143 Patch
https://github.com/wazuh/wazuh/pull/31187 Issue Tracking,Patch
https://github.com/wazuh/wazuh/releases/tag/v4.13.0 Release Notes
https://github.com/wazuh/wazuh/security/advisories/GHSA-mvfx-ph7m-qm37 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54866, you might also want to check these: