CVE-2025-54866: Critical Password Exposure in Wazuh Agent – Upgrade Immediately!

Overview

CVE-2025-54866 identifies a security vulnerability in the Wazuh agent, a key component of the Wazuh open-source security platform. This vulnerability, affecting versions 4.3.0 up to (but not including) 4.13.0, exposes the authd.pass password file to all authenticated users on the local machine. This unintended access allows these users to potentially impersonate the agent, leading to serious security risks. The issue has been resolved in Wazuh version 4.13.0.

Technical Details

The vulnerability stems from a missing Access Control List (ACL) on the C:\Program Files (x86)\ossec-agent\authd.pass file. This file stores the password used by the Wazuh agent for authentication with the Wazuh manager. Due to the missing ACL, any user with local authentication privileges on the Windows machine where the agent is installed can read the contents of this file. Exploitation requires local access to the affected system.

CVSS Analysis

CVSS score has not been determined (N/A) at the time of writing. The severity is marked as N/A because the CVSS score hasn’t been assigned. However, given the potential impact of password exposure, it should be considered a high-risk vulnerability in affected environments. A successful exploit requires local access, but the potential for privilege escalation and agent impersonation makes patching extremely important.

Possible Impact

Exploitation of this vulnerability could have significant consequences:

• Agent Impersonation: An attacker can use the extracted password to impersonate the agent, potentially sending malicious data to the Wazuh manager.
• Privilege Escalation: Depending on the Wazuh configuration, successful agent impersonation could lead to broader access within the monitored environment.
• Data Tampering: A compromised agent could be used to tamper with collected security data, hindering accurate threat detection.
• Denial of Service: An attacker might disrupt the agent’s normal operations by exploiting the compromised authentication credentials.

Mitigation and Patch Steps

The recommended mitigation is to upgrade to Wazuh agent version 4.13.0 or later. This version includes the necessary ACL fix that restricts access to the authd.pass file. Follow these steps:

1. Download: Download the latest Wazuh agent version (4.13.0 or later) from the official Wazuh website.
2. Installation: Follow the official Wazuh documentation for upgrading the agent. Ensure that you back up your configuration before upgrading.
3. Verification: After upgrading, verify that the authd.pass file has the correct permissions and is no longer accessible to authenticated users.

References

• Commit fixing the vulnerability
• Pull Request detailing the fix
• Wazuh v4.13.0 Release Notes
• Wazuh Security Advisory: GHSA-mvfx-ph7m-qm37