CVE-2025-64483
📋 TL;DR
This vulnerability allows authenticated users with read-only API roles in Wazuh to retrieve agent enrollment credentials through the /utils/configuration endpoint. These credentials can then be used to register unauthorized agents within the same Wazuh tenant. Organizations running Wazuh versions 4.9.0 through 4.12.x with API access configured are affected.
💻 Affected Systems
- Wazuh
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with read-only API access could register malicious agents that exfiltrate sensitive security data, manipulate alerts, or disrupt monitoring operations across the entire Wazuh deployment.
Likely Case
Internal users with read-only API permissions could unintentionally or intentionally register unauthorized agents, potentially causing configuration drift, alert fatigue, or data integrity issues.
If Mitigated
With proper API access controls and network segmentation, the impact is limited to potential unauthorized agent registrations that can be detected and remediated through existing monitoring.
🎯 Exploit Status
Exploitation requires valid API credentials with read-only permissions. The attack involves a simple API call to retrieve credentials followed by agent registration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.13.0
Vendor Advisory: https://github.com/wazuh/wazuh-dashboard-plugins/security/advisories/GHSA-gwf3-8gm3-qrmj
Restart Required: Yes
Instructions:
1. Backup current Wazuh configuration. 2. Upgrade Wazuh to version 4.13.0 or later. 3. Restart Wazuh services. 4. Verify the fix by testing API endpoint access.
🔧 Temporary Workarounds
Restrict API Access
linuxTemporarily restrict access to the /utils/configuration endpoint or disable API access for read-only users.
# Modify Wazuh API configuration to restrict endpoint access
# Edit /var/ossec/api/configuration/api.yaml and adjust permissions
Network Segmentation
linuxImplement network controls to restrict API access to trusted IP addresses only.
# Example iptables rule to restrict API access
iptables -A INPUT -p tcp --dport 55000 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 55000 -j DROP
🧯 If You Can't Patch
- Implement strict API access controls and audit all read-only user activities
- Monitor agent registration logs for unauthorized or suspicious enrollment attempts
🔍 How to Verify
Check if Vulnerable:
Check if Wazuh version is between 4.9.0 and 4.12.x and API access is enabled with read-only users.Check Version:
wazuh-manager -vVerify Fix Applied:
After upgrading to 4.13.0+, verify that read-only API users cannot access agent enrollment credentials through /utils/configuration endpoint.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /utils/configuration endpoint
- Unexpected agent registration events
- Multiple agent enrollments from single user
Network Indicators:
- Unusual API traffic patterns to configuration endpoints
- Agent registration requests from non-standard sources
SIEM Query:
source="wazuh-api" AND (endpoint="/utils/configuration" OR event="agent_enrollment") | stats count by user, src_ip