Skip to main content

Wazuh Agent CVE-2025-15616

| EUVDEUVD-2025-209103 HIGH
Code Injection (CWE-94)
2026-03-27 VulnCheck GHSA-7qjf-9w96-fxjq
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:12 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
4.8.0
EUVD ID Assigned
Mar 27, 2026 - 17:15 euvd
EUVD-2025-209103
Analysis Generated
Mar 27, 2026 - 17:15 vuln.today
CVE Published
Mar 27, 2026 - 16:38 nvd
HIGH 7.1

DescriptionCVE.org

Wazuh wazuh-agent and wazuh-manager versions 2.1.0 before 4.8.0 contain multiple shell injection and untrusted search path vulnerabilities that allow attackers to execute arbitrary commands through various components including logcollector configuration, maild SMTP server tags, and Kaspersky AR script parameters. Attackers can exploit these vulnerabilities by injecting malicious commands through configuration files, SMTP server settings, and custom flags to achieve remote code execution on affected systems.

AnalysisAI

Multiple shell injection and untrusted search path vulnerabilities in Wazuh agent and manager (versions 2.1.0 through 4.7.x) enable remote code execution through malicious configuration parameters. Authenticated attackers with high privileges can inject commands via logcollector configuration files, maild SMTP server tags, and Kaspersky AR script parameters. The CVSS 4.0 score of 7.1 reflects network-accessible attack vector with low complexity but requiring high-privilege credentials; no public exploit identified at time of analysis.

Technical ContextAI

Wazuh is an open-source security monitoring platform deployed as agent-manager architecture for threat detection and compliance monitoring. The affected products are identified by CPE strings cpe:2.3:a:wazuh:wazuh-agent and cpe:2.3:a:wazuh:wazuh-manager. The vulnerability class is CWE-94 (Improper Control of Generation of Code), manifesting as shell injection flaws in multiple components: the logcollector module that processes log collection configuration, the maild daemon that handles SMTP server configuration for alerting, and the Kaspersky Active Response integration script. These components fail to properly sanitize user-supplied input before passing it to shell interpreters, allowing command metacharacters to break out of intended command contexts. The untrusted search path component suggests PATH environment manipulation may also be exploitable to load malicious executables.

RemediationAI

Upgrade Wazuh wazuh-agent and wazuh-manager to version 4.8.0 or later, which addresses all identified shell injection and untrusted search path vulnerabilities (see vendor advisory at https://github.com/wazuh/wazuh/security/advisories/GHSA-522v-p59v-58gm). Until patching is feasible, implement defense-in-depth controls including strict access control to Wazuh management interfaces with multi-factor authentication, audit logging of all configuration changes, input validation on configuration files before deployment, and network segmentation to isolate Wazuh infrastructure from untrusted networks. Review existing logcollector, maild, and Kaspersky AR configurations for suspicious command injection patterns or unexpected metacharacters. Organizations unable to immediately upgrade should restrict configuration modification privileges to a minimal set of trusted administrators and monitor for unauthorized configuration changes through file integrity monitoring.

Share

CVE-2025-15616 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy