Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Agent communicates over network (AV:N), enrollment credential suffices as low privilege (PR:L), and wazuh-remoted crash fully eliminates agent visibility for the entire deployment (A:H).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions 3.0.0 and above, prior to 4.14.5, a size_t integer underflow in os_crypto/shared/msgs.c:389 allows any enrolled Wazuh agent to crash the wazuh-remoted process on the manager, immediately disconnecting all agents from the manager. A second code path reached by the same underflow may allow heap memory corruption. This issue has been fixed in version 4.14.5.
AnalysisAI
Remote denial-of-service and potential heap corruption in the Wazuh manager's wazuh-remoted daemon allows any enrolled agent to crash the manager's agent-communication process, instantly severing all agent connections across the entire deployment. Affected versions span 3.0.0 through 4.14.4; a secondary code path triggered by the same underflow may permit heap memory write primitives beyond pure DoS. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must possess a valid Wazuh agent enrollment credential - either by controlling a legitimately enrolled agent or by stealing an agent key (CVSS PR:L confirms low-privilege enrolled-agent access is required; unauthenticated remote attackers cannot trigger this). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H scores 6.5, which appropriately reflects the primary availability impact: a network-accessible crash with minimal complexity requiring only enrolled-agent credentials. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has compromised a single Wazuh-monitored endpoint - or who has exfiltrated an agent enrollment key - sends a crafted message to the Wazuh manager that triggers the size_t underflow in msgs.c:389, crashing wazuh-remoted. All other agents immediately lose connectivity to the manager, creating a monitoring blackout across the entire Wazuh deployment that the attacker can exploit to conduct further activity undetected. … |
| Remediation | Upgrade Wazuh manager to version 4.14.5, which contains the official fix per vendor advisory GHSA-jv5r-5p7c-g9fq at https://github.com/wazuh/wazuh/security/advisories/GHSA-jv5r-5p7c-g9fq. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
In the wazuh-slack active response script in Wazuh 4.2.x before 4.2.5, untrusted user agents are passed to a curl comman
A critical deserialization vulnerability in Wazuh's cluster mode allows attackers with access to any worker node to achi
The agent in OSSEC through 3.1.0 on Windows allows local users to gain NT AUTHORITY\SYSTEM access via Directory Traversa
CVE-2024-1243 is an improper input validation vulnerability in Wazuh agent for Windows (versions prior to 4.8.0) that al
Wazuh Manager in Wazuh through 4.1.5 is affected by a remote Integer Underflow vulnerability that might lead to denial o
NDJSON injection in Wazuh Manager before 5.0.0-beta3 lets any enrolled agent smuggle arbitrary OpenSearch bulk operation
Wazuh is a free and open source platform used for threat prevention, detection, and response. Rated critical severity (C
Privilege escalation in Wazuh Manager versions 3.9.0 through 4.14.2 allows authenticated cluster nodes to achieve unauth
Wazuh Manager (4.4.0 through 4.14.3) contains a path traversal vulnerability in the cluster synchronization routine that
Wazuh is a security detection, visibility, and compliance open source project. Rated high severity (CVSS 8.8), this vuln
Wazuh v3.6.1 - v3.13.5, v4.0.0 - v4.2.7, and v4.3.0 - v4.3.7 were discovered to contain an authenticated remote code exe
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45089