Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Wazuh Manager authd service in wazuh-manager packages through version 4.7.3 contains an improper restriction of client-initiated SSL/TLS renegotiation vulnerability that allows remote attackers to cause a denial of service by sending excessive renegotiation requests. Attackers can exploit the lack of renegotiation limits to consume CPU resources and render the authd service unavailable.
AnalysisAI
Wazuh Manager authd service through version 4.7.3 fails to properly restrict client-initiated SSL/TLS renegotiation requests, allowing unauthenticated remote attackers to trigger excessive renegotiations that consume CPU resources and cause denial of service. The vulnerability affects the authentication daemon across all Wazuh Manager deployments running vulnerable versions, enabling attackers to render the authd service unavailable with no authentication required and minimal attack complexity.
Technical ContextAI
The vulnerability resides in the Wazuh Manager's authd (authentication daemon) service, which handles SSL/TLS connections for agent authentication and enrollment. The root cause is classified under CWE-276 (Improper Restriction of Rendered UI Layers or Frames), though the manifestation is an improper restriction of client-initiated SSL/TLS renegotiation. TLS renegotiation is a legitimate protocol feature allowing clients and servers to establish fresh cipher suites and keys mid-connection; however, unrestricted renegotiation can be abused as a denial-of-service vector. When a server fails to implement rate limiting or connection-level renegotiation caps, an attacker can send rapid renegotiation requests (CLIENT_HELLO messages with renegotiation indication) forcing the server to perform expensive cryptographic operations repeatedly. The affected product (cpe:2.3:a:wazuh:wazuh-manager) implements the TLS stack without adequate safeguards, allowing a single attacker to exhaust authd CPU resources and prevent legitimate agents from authenticating.
RemediationAI
Upgrade Wazuh Manager to a version released after 4.7.3 as indicated by the vendor security advisory (https://github.com/wazuh/wazuh/security/advisories/GHSA-rr83-v9v7-jjhp); consult the advisory for the exact patched version number. Until patching is feasible, implement network-level mitigations: restrict authd service network exposure to a firewall rule allowing only known agent IP ranges or subnets, disable TLS renegotiation at the reverse proxy or load balancer level (most reverse proxies support 'SSLRenegotiate none' or equivalent), and implement rate limiting on TLS connection establishment per source IP. Monitor authd process CPU utilization and set alerts for sustained high usage as an early indicator of renegotiation-based attack. If authd is exposed to untrusted networks, implement a WAF or DDoS mitigation service that can detect and throttle excessive renegotiation requests.
More in Wazuh Manager
View allSame weakness CWE-276 – Incorrect Default Permissions
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209102
GHSA-36r3-mw6j-7ffc