CVE-2025-62788 – This is a use-after-free vulnerability in Wazuh... (How to Fix)

Q: What is the severity of CVE-2025-62788?

CVE-2025-62788 has a CVSS score of 7.5 (HIGH). This is a use-after-free vulnerability in Wazuh's w_copy_event_for_log() function that allows compromised agents to send specially crafted messages to the manager. An attacker can potentially corrupt memory and compromise the integrity of the Wazuh manager application. This affects all Wazuh deployments with agents prior to version 4.11.0.

📋 TL;DR

This is a use-after-free vulnerability in Wazuh's w_copy_event_for_log() function that allows compromised agents to send specially crafted messages to the manager. An attacker can potentially corrupt memory and compromise the integrity of the Wazuh manager application. This affects all Wazuh deployments with agents prior to version 4.11.0.

💻 Affected Systems

Products:

Wazuh

Versions: All versions prior to 4.11.0

Operating Systems: All platforms running Wazuh

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable if using affected versions. Requires agent-to-manager communication capability.

📦 What is this software?

Wazuh by Wazuh

View all CVEs affecting Wazuh →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Wazuh manager leading to data corruption, denial of service, or potential remote code execution through memory corruption.

🟠

Likely Case

Application instability, crashes, or data corruption in the Wazuh manager when processing malicious agent messages.

🟢

If Mitigated

Limited impact if proper network segmentation and agent authentication controls prevent unauthorized agents from communicating with the manager.

🌐 Internet-Facing: LOW (Wazuh managers typically shouldn't be internet-facing; agents communicate over internal networks)

🏢 Internal Only: HIGH (Compromised internal agents can exploit this vulnerability against the manager)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires a compromised agent or ability to send crafted messages to the manager. The advisory suggests this could lead to integrity compromise through memory corruption.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.11.0

Vendor Advisory: https://github.com/wazuh/wazuh/security/advisories/GHSA-qjcw-fjvh-8q4g

Restart Required: Yes

Instructions:

1. Backup your Wazuh configuration and data. 2. Update Wazuh manager to version 4.11.0 or later using your package manager. 3. Restart the Wazuh manager service. 4. Update all agents to compatible versions if required.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict agent-to-manager communication to trusted networks only

Agent Authentication Enforcement

all

Ensure all agents are properly authenticated and monitor for unauthorized agent connections

🧯 If You Can't Patch

Implement strict network segmentation to isolate Wazuh manager from potentially compromised agents
Monitor agent communications for anomalous patterns and implement strict agent authentication controls

🔍 How to Verify

Check if Vulnerable:

Check Wazuh manager version: wazuh-manager --version or check package version via package manager

Check Version:

wazuh-manager --version

Verify Fix Applied:

Verify version is 4.11.0 or higher and check that manager service is running without errors

📡 Detection & Monitoring

Log Indicators:

Wazuh manager crashes or segmentation faults
Memory corruption errors in system logs
Unusual agent connection patterns

Network Indicators:

Unusual agent-to-manager message patterns
Suspicious agent connections

SIEM Query:

source="wazuh-manager" AND (error OR crash OR segmentation OR "use-after-free")

📊 Metadata

CVE ID: CVE-2025-62788

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-416

EPSS Score: 0.06% exploit probability (18.1th percentile)

Published: October 29, 2025

Last Updated: November 3, 2025

🔗 References

https://github.com/wazuh/wazuh/security/advisories/GHSA-qjcw-fjvh-8q4g Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62788, you might also want to check these: