Login Sign Up

CVE-2025-62787

7.5 HIGH
Buffer Overflow

📋 TL;DR

A buffer over-read vulnerability in Wazuh's DecodeWinevt() function allows compromised agents to trigger read operations beyond allocated buffer boundaries. Attackers can exploit this by sending specially crafted messages to the Wazuh manager, potentially accessing sensitive data. This affects Wazuh installations prior to version 4.10.2 with analysisd.debug=2 configuration enabled.

💻 Affected Systems

Products:
  • Wazuh
Versions: All versions prior to 4.10.2
Operating Systems: All platforms running Wazuh
Default Config Vulnerable: ✅ No
Notes: Requires analysisd.debug=2 configuration setting to be enabled for data leakage to occur.

📦 What is this software?

Wazuh by Wazuh

View all CVEs affecting Wazuh →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive information disclosure including potentially credentials, configuration data, or other memory contents from the Wazuh manager process.

🟠

Likely Case

Limited information disclosure from memory buffers, potentially exposing debug information or partial data structures.

🟢

If Mitigated

No impact if debug mode is disabled or proper network segmentation prevents agent compromise.

🌐 Internet-Facing: MEDIUM - Requires compromised agent or ability to send crafted messages to manager, but debug mode must be enabled.
🏢 Internal Only: MEDIUM - Internal attackers with agent access could exploit, but debug configuration requirement reduces likelihood.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires ability to send crafted messages to Wazuh manager, typically through compromised agent. Debug configuration must be enabled for data leakage.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.10.2

Vendor Advisory: https://github.com/wazuh/wazuh/security/advisories/GHSA-3hhq-5367-98q6

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Update Wazuh manager to version 4.10.2 or later using package manager. 3. Restart Wazuh services. 4. Verify successful update.

🔧 Temporary Workarounds

Disable Debug Mode

linux

Set analysisd.debug to 0 or remove debug configuration to prevent data leakage

sed -i 's/analysisd.debug=2/analysisd.debug=0/g' /var/ossec/etc/ossec.conf
systemctl restart wazuh-manager

Network Segmentation

all

Restrict agent-manager communication to trusted networks only

🧯 If You Can't Patch

  • Disable analysisd.debug configuration (set to 0)
  • Implement strict network controls between agents and manager

🔍 How to Verify

Check if Vulnerable:

Check Wazuh version and debug configuration: grep -i 'analysisd.debug' /var/ossec/etc/ossec.conf && wazuh-manager -v

Check Version:

wazuh-manager -v

Verify Fix Applied:

Verify version is 4.10.2 or later: wazuh-manager -v | grep -q '4.10.2' && echo 'Patched'

📡 Detection & Monitoring

Log Indicators:

  • Unusual agent messages with malformed winevt data
  • Debug logs showing buffer access errors

Network Indicators:

  • Abnormal agent-to-manager message patterns
  • Unexpected data transfers from manager

SIEM Query:

source="wazuh" AND ("DecodeWinevt" OR "buffer" OR "debug=2")

📊 Metadata

CVE ID: CVE-2025-62787
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-126
EPSS Score: 0.06% exploit probability (17.7th percentile)
Published: October 29, 2025
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62787, you might also want to check these:

CVE-2017-17772 9.8

This vulnerability allows attackers to perform out-of-bounds reads in 802.11 frame processing functi...

Same vulnerability type (CWE-126)
CVE-2023-36397 9.8

This vulnerability allows remote attackers to execute arbitrary code on affected Windows systems by ...

Same vulnerability type (CWE-126)
CVE-2021-34584 9.1

CVE-2021-34584 is a buffer over-read vulnerability in the CODESYS V2 web server that allows attacker...

Same vulnerability type (CWE-126)