Cybersecurity Vulnerabilities

CVE-2025-30201: Critical NTLM Relay Vulnerability Threatens Wazuh Agent

November 21, 2025 - By 

Published: 2025-11-21

Overview

A high-severity vulnerability, identified as CVE-2025-30201, has been discovered in the Wazuh Agent. This vulnerability allows authenticated attackers to potentially trigger NTLM relay attacks, potentially leading to privilege escalation and remote code execution. It arises from the agent’s handling of malicious UNC (Universal Naming Convention) paths within configuration settings.

Technical Details

The vulnerability stems from the Wazuh Agent’s processing of configuration parameters. An authenticated attacker can inject malicious UNC paths into various agent configuration settings. When the agent attempts to access these malicious paths, it initiates an NTLM authentication handshake with a server controlled by the attacker. This allows the attacker to capture and relay the NTLM credentials to another service, such as the Wazuh Manager itself, or any other vulnerable system on the network.

CVSS Analysis

  • CVE ID: CVE-2025-30201
  • Severity: HIGH
  • CVSS Score: 7.7

A CVSS score of 7.7 indicates a high severity vulnerability. The ability for an attacker to escalate privileges or execute remote code makes this a significant threat.

Possible Impact

Successful exploitation of CVE-2025-30201 can lead to:

  • Privilege Escalation: An attacker can gain elevated privileges on the Wazuh Agent host.
  • Remote Code Execution: In certain scenarios, an attacker might achieve remote code execution on the Wazuh Agent host or other systems within the network through NTLM relay attacks.
  • Lateral Movement: Compromised credentials can be used to move laterally within the network, compromising additional systems.

Mitigation and Patch Steps

The vulnerability has been addressed in Wazuh version 4.13.0. It is strongly recommended to upgrade your Wazuh Agent installations to version 4.13.0 or later as soon as possible. The upgrade process typically involves the following steps:

  1. Download the latest Wazuh Agent package from the official Wazuh website.
  2. Follow the installation instructions provided in the Wazuh documentation.
  3. Restart the Wazuh Agent service after the upgrade is complete.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *