EUVD-2025-209103
GHSA-7qjf-9w96-fxjq
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Tags
Description
Wazuh wazuh-agent and wazuh-manager versions 2.1.0 before 4.8.0 contain multiple shell injection and untrusted search path vulnerabilities that allow attackers to execute arbitrary commands through various components including logcollector configuration, maild SMTP server tags, and Kaspersky AR script parameters. Attackers can exploit these vulnerabilities by injecting malicious commands through configuration files, SMTP server settings, and custom flags to achieve remote code execution on affected systems.
Analysis
Multiple shell injection and untrusted search path vulnerabilities in Wazuh agent and manager (versions 2.1.0 through 4.7.x) enable remote code execution through malicious configuration parameters. Authenticated attackers with high privileges can inject commands via logcollector configuration files, maild SMTP server tags, and Kaspersky AR script parameters. The CVSS 4.0 score of 7.1 reflects network-accessible attack vector with low complexity but requiring high-privilege credentials; no public exploit identified at time of analysis.
Technical Context
Wazuh is an open-source security monitoring platform deployed as agent-manager architecture for threat detection and compliance monitoring. The affected products are identified by CPE strings cpe:2.3:a:wazuh:wazuh-agent and cpe:2.3:a:wazuh:wazuh-manager. The vulnerability class is CWE-94 (Improper Control of Generation of Code), manifesting as shell injection flaws in multiple components: the logcollector module that processes log collection configuration, the maild daemon that handles SMTP server configuration for alerting, and the Kaspersky Active Response integration script. These components fail to properly sanitize user-supplied input before passing it to shell interpreters, allowing command metacharacters to break out of intended command contexts. The untrusted search path component suggests PATH environment manipulation may also be exploitable to load malicious executables.
Affected Products
Wazuh wazuh-agent versions 2.1.0 through 4.7.x (prior to 4.8.0) and Wazuh wazuh-manager versions 2.1.0 through 4.7.x (prior to 4.8.0) are affected. The vulnerability spans nearly four years of releases across both agent and manager components. Affected products are confirmed via CPE identifiers cpe:2.3:a:wazuh:wazuh-agent and cpe:2.3:a:wazuh:wazuh-manager. The vendor security advisory is available at https://github.com/wazuh/wazuh/security/advisories/GHSA-522v-p59v-58gm with additional technical details at VulnCheck advisory https://www.vulncheck.com/advisories/multiple-vulnerabilities-related-to-shell-injection-and-path-traversal-flaws.
Remediation
Upgrade Wazuh wazuh-agent and wazuh-manager to version 4.8.0 or later, which addresses all identified shell injection and untrusted search path vulnerabilities (see vendor advisory at https://github.com/wazuh/wazuh/security/advisories/GHSA-522v-p59v-58gm). Until patching is feasible, implement defense-in-depth controls including strict access control to Wazuh management interfaces with multi-factor authentication, audit logging of all configuration changes, input validation on configuration files before deployment, and network segmentation to isolate Wazuh infrastructure from untrusted networks. Review existing logcollector, maild, and Kaspersky AR configurations for suspicious command injection patterns or unexpected metacharacters. Organizations unable to immediately upgrade should restrict configuration modification privileges to a minimal set of trusted administrators and monitor for unauthorized configuration changes through file integrity monitoring.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today