Skip to main content

Wazuh Manager CVE-2025-15615

| EUVDEUVD-2025-209102 MEDIUM
Incorrect Default Permissions (CWE-276)
2026-03-27 VulnCheck GHSA-36r3-mw6j-7ffc
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 27, 2026 - 16:45 euvd
EUVD-2025-209102
Analysis Generated
Mar 27, 2026 - 16:45 vuln.today
CVE Published
Mar 27, 2026 - 16:23 nvd
MEDIUM 6.9

DescriptionCVE.org

Wazuh Manager authd service in wazuh-manager packages through version 4.7.3 contains an improper restriction of client-initiated SSL/TLS renegotiation vulnerability that allows remote attackers to cause a denial of service by sending excessive renegotiation requests. Attackers can exploit the lack of renegotiation limits to consume CPU resources and render the authd service unavailable.

AnalysisAI

Wazuh Manager authd service through version 4.7.3 fails to properly restrict client-initiated SSL/TLS renegotiation requests, allowing unauthenticated remote attackers to trigger excessive renegotiations that consume CPU resources and cause denial of service. The vulnerability affects the authentication daemon across all Wazuh Manager deployments running vulnerable versions, enabling attackers to render the authd service unavailable with no authentication required and minimal attack complexity.

Technical ContextAI

The vulnerability resides in the Wazuh Manager's authd (authentication daemon) service, which handles SSL/TLS connections for agent authentication and enrollment. The root cause is classified under CWE-276 (Improper Restriction of Rendered UI Layers or Frames), though the manifestation is an improper restriction of client-initiated SSL/TLS renegotiation. TLS renegotiation is a legitimate protocol feature allowing clients and servers to establish fresh cipher suites and keys mid-connection; however, unrestricted renegotiation can be abused as a denial-of-service vector. When a server fails to implement rate limiting or connection-level renegotiation caps, an attacker can send rapid renegotiation requests (CLIENT_HELLO messages with renegotiation indication) forcing the server to perform expensive cryptographic operations repeatedly. The affected product (cpe:2.3:a:wazuh:wazuh-manager) implements the TLS stack without adequate safeguards, allowing a single attacker to exhaust authd CPU resources and prevent legitimate agents from authenticating.

RemediationAI

Upgrade Wazuh Manager to a version released after 4.7.3 as indicated by the vendor security advisory (https://github.com/wazuh/wazuh/security/advisories/GHSA-rr83-v9v7-jjhp); consult the advisory for the exact patched version number. Until patching is feasible, implement network-level mitigations: restrict authd service network exposure to a firewall rule allowing only known agent IP ranges or subnets, disable TLS renegotiation at the reverse proxy or load balancer level (most reverse proxies support 'SSLRenegotiate none' or equivalent), and implement rate limiting on TLS connection establishment per source IP. Monitor authd process CPU utilization and set alerts for sustained high usage as an early indicator of renegotiation-based attack. If authd is exposed to untrusted networks, implement a WAF or DDoS mitigation service that can detect and throttle excessive renegotiation requests.

Share

CVE-2025-15615 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy