EUVD-2025-209107
GHSA-wp7g-9j3h-9mcg
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Tags
Description
Wazuh provisioning scripts and Dockerfiles contain an insecure transport vulnerability where curl is invoked with the -k/--insecure flag, disabling SSL/TLS certificate validation. Attackers with network access can perform man-in-the-middle attacks to intercept and modify downloaded dependencies or code during the build process, leading to remote code execution and supply chain compromise.
Analysis
Wazuh provisioning scripts and container build environments disable SSL/TLS certificate validation by invoking curl with the -k/--insecure flag, enabling man-in-the-middle attackers to intercept and modify downloaded dependencies during the build process and achieve remote code execution within the agent build infrastructure and supply chain. Unauthenticated network attackers with positioning on the network path can exploit this with moderate complexity to compromise the integrity of Wazuh agent builds, affecting all downstream deployments. No public exploit code or active exploitation has been confirmed at the time of analysis.
Technical Context
The vulnerability stems from improper implementation of CWE-295 (Improper Certificate Validation), a root cause class affecting cryptographic and transport security. Wazuh provisioning scripts and Dockerfiles used in agent build environments invoke curl with the -k or --insecure flag, which explicitly disables hostname and certificate verification in SSL/TLS connections. This allows any attacker positioned on the network path (between the build system and remote package repositories or dependency servers) to present a self-signed or forged certificate and intercept the connection without triggering validation errors. The affected product, identified via CPE as cpe:2.3:a:wazuh:wazuh_provisioning_scripts_(agent_build_environment):*:*:*:*:*:*:*:*, encompasses the build infrastructure scripts that bootstrap and construct Wazuh agents. During build execution, these insecure curl invocations download code and dependencies, creating a critical supply chain injection point where adversaries can substitute malicious payloads for legitimate artifacts.
Affected Products
Wazuh provisioning scripts and Dockerfiles used in the agent build environment are affected across all versions, as identified by CPE cpe:2.3:a:wazuh:wazuh_provisioning_scripts_(agent_build_environment):*:*:*:*:*:*:*:*. This covers the build infrastructure components distributed with Wazuh for constructing agent binaries. The vulnerability is not version-pinned in the available data, suggesting it affects the entire product line unless explicitly patched. Refer to the official Wazuh security advisory at https://github.com/wazuh/wazuh/security/advisories/GHSA-wvg9-7q49-c7mg and the VulnCheck advisory at https://www.vulncheck.com/advisories/various-uses-of-curl-without-verifying-the-authenticity-of-the-ssl-certificate-leading-to-mitm-rce-in-build-infrastructure for complete version and scope details.
Remediation
Remove or replace all instances of curl invocations with the -k, --insecure, or equivalent certificate-disabling flags in provisioning scripts and Dockerfiles. Replace them with curl commands that perform full certificate validation (the default behavior when no insecure flags are present) or explicitly use --cacert to pinpoint trusted certificate authority bundles. For build environments using package managers or artifact repositories, configure the underlying tools (apt, yum, pip, npm, etc.) to use trusted certificate stores rather than bypassing validation at the curl layer. Immediately audit all agent builds produced using the vulnerable scripts and consider re-building with patched provisioning code. For Wazuh deployments already using agents built from insecure provisioning scripts, implement network segmentation to isolate build systems from untrusted networks and enforce certificate pinning or proxy validation where feasible. Consult the Wazuh security advisory at https://github.com/wazuh/wazuh/security/advisories/GHSA-wvg9-7q49-c7mg for specific patched versions and deployment guidance once available.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today