Cybersecurity Vulnerabilities

Wazuh API Vulnerability Exposes Agent Enrollment Keys (CVE-2025-64483)

November 21, 2025 - By 

Overview

CVE-2025-64483 describes a security vulnerability found in the Wazuh API, a security detection, visibility, and compliance open-source project. Specifically, versions 4.9.0 up to (but not including) 4.13.0 are affected. This vulnerability allows authenticated users with read-only API roles to retrieve agent enrollment credentials. These credentials can then be exploited to register new agents within the same Wazuh tenant without proper authorization, potentially bypassing security controls.

Technical Details

The vulnerability resides in the /utils/configuration endpoint of the Wazuh API. While intended for configuration retrieval, this endpoint inadvertently exposed agent enrollment credentials to users with read-only permissions. The exposure allowed a malicious actor or an attacker who had compromised a read-only account to extract the necessary information for agent registration. This bypasses the intended authorization mechanisms for onboarding new agents.

CVSS Analysis

Currently, the CVSS score for CVE-2025-64483 is not available (N/A). However, while the vulnerability requires authentication, the potential impact of unauthorized agent registration could be significant. A comprehensive CVSS analysis would be performed by security analysts to determine the base score, temporal score and environmental score, leading to a final severity rating. The exploitability of the vulnerability is fairly high, as its technically not hard to exploit if you have compromised a read-only user, while the possible attack vectors are network based (the wazuh api is generally exposed in a network).

Possible Impact

The successful exploitation of CVE-2025-64483 could lead to several negative consequences:

  • Unauthorized Agent Registration: Attackers can register rogue agents within the Wazuh environment, potentially injecting malicious code or exfiltrating sensitive data.
  • Security Monitoring Evasion: Unauthorized agents could be used to mask malicious activity or disable security controls, hindering effective threat detection.
  • Data Breach: Compromised agents could provide a foothold for attackers to access and exfiltrate sensitive data stored within the monitored environment.
  • Compliance Violations: Unauthorized changes to the security infrastructure could lead to violations of regulatory compliance requirements.

Mitigation and Patch Steps

The vulnerability has been patched in Wazuh version 4.13.0. It is strongly recommended that all users running versions 4.9.0 through 4.12.x upgrade to version 4.13.0 or later as soon as possible.

  1. Upgrade Wazuh: Follow the official Wazuh upgrade documentation to update your Wazuh deployment to version 4.13.0 or later.
  2. Verify Upgrade: After the upgrade, confirm that the Wazuh API version is 4.13.0 or higher.
  3. Review API Access: Audit API access roles and permissions to ensure that only authorized users have the necessary privileges.
  4. Monitor for Suspicious Activity: Continuously monitor your Wazuh environment for any unusual agent registrations or suspicious activities.

References

GHSA-gwf3-8gm3-qrmj (GitHub Security Advisory)
Wazuh Official Website
Wazuh Official Documentation

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *