CVE-2025-62792 – A buffer over-read vulnerability in Wazuh allow... (How to Fix)

Q: What is the severity of CVE-2025-62792?

CVE-2025-62792 has a CVSS score of 7.5 (HIGH). A buffer over-read vulnerability in Wazuh allows compromised agents or attackers who can send crafted messages to the Wazuh manager to read beyond allocated memory boundaries, potentially accessing sensitive information. This affects Wazuh deployments with agents that can communicate with the manager. The vulnerability exists in versions prior to 4.12.0.

📋 TL;DR

A buffer over-read vulnerability in Wazuh allows compromised agents or attackers who can send crafted messages to the Wazuh manager to read beyond allocated memory boundaries, potentially accessing sensitive information. This affects Wazuh deployments with agents that can communicate with the manager. The vulnerability exists in versions prior to 4.12.0.

💻 Affected Systems

Products:

Wazuh

Versions: All versions prior to 4.12.0

Operating Systems: All platforms running Wazuh

Default Config Vulnerable: ⚠️ Yes

Notes: All Wazuh deployments with agents communicating to managers are affected if using vulnerable versions.

📦 What is this software?

Wazuh by Wazuh

View all CVEs affecting Wazuh →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with agent access could read sensitive data from Wazuh manager memory, potentially exposing credentials, configuration secrets, or other protected information.

🟠

Likely Case

Compromised agents could exfiltrate limited sensitive data from manager memory, potentially enabling further attacks.

🟢

If Mitigated

With proper network segmentation and agent security controls, impact is limited to isolated agent compromise scenarios.

🌐 Internet-Facing: LOW - Wazuh managers typically shouldn't be internet-facing; agents communicate over internal networks.

🏢 Internal Only: MEDIUM - Internal attackers with agent access or ability to send crafted messages to the manager could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to send crafted messages to the Wazuh manager, typically requiring agent compromise or network access to agent-manager communication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.12.0

Vendor Advisory: https://github.com/wazuh/wazuh/security/advisories/GHSA-2672-vfhm-xhr6

Restart Required: Yes

Instructions:

1. Backup Wazuh configuration and data. 2. Update Wazuh manager to version 4.12.0 or later using your package manager. 3. Restart Wazuh services. 4. Update all agents to compatible versions.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict network access to Wazuh manager to only trusted agents and management systems.

# Configure firewall rules to restrict access to Wazuh manager ports (1514-1515, 55000)
sudo iptables -A INPUT -p tcp --dport 1514:1515 -s trusted_network -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 1514:1515 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate Wazuh manager from untrusted networks
Monitor agent communications for anomalous patterns and implement strict agent authentication controls

🔍 How to Verify

Check if Vulnerable:

Check Wazuh version: wazuh-manager --version or rpm -q wazuh-manager or dpkg -l wazuh-manager

Check Version:

wazuh-manager --version 2>/dev/null || rpm -q wazuh-manager 2>/dev/null || dpkg -l wazuh-manager 2>/dev/null | grep ^ii

Verify Fix Applied:

Verify version is 4.12.0 or higher and check that wazuh-manager service is running without errors

📡 Detection & Monitoring

Log Indicators:

Unusual agent connection patterns
Large or malformed messages in Wazuh logs
Wazuh manager segmentation faults or crashes

Network Indicators:

Unusual traffic patterns to Wazuh manager ports (1514-1515, 55000)
Messages with unusual length or structure

SIEM Query:

source="wazuh" AND ("segmentation fault" OR "buffer" OR "malformed" OR "unexpected")

📊 Metadata

CVE ID: CVE-2025-62792

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-126

EPSS Score: 0.06% exploit probability (19.4th percentile)

Published: October 29, 2025

Last Updated: November 3, 2025

🔗 References

https://github.com/wazuh/wazuh/security/advisories/GHSA-2672-vfhm-xhr6 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62792, you might also want to check these: