Skip to main content

Wazuh Provisioning Scripts Agent Build Environment EUVDEUVD-2025-209107

| CVE-2025-15612 MEDIUM
Improper Certificate Validation (CWE-295)
2026-03-27 VulnCheck GHSA-wp7g-9j3h-9mcg
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 27, 2026 - 19:00 euvd
EUVD-2025-209107
Analysis Generated
Mar 27, 2026 - 19:00 vuln.today
CVE Published
Mar 27, 2026 - 18:16 nvd
MEDIUM 6.3

DescriptionCVE.org

Wazuh provisioning scripts and Dockerfiles contain an insecure transport vulnerability where curl is invoked with the -k/--insecure flag, disabling SSL/TLS certificate validation. Attackers with network access can perform man-in-the-middle attacks to intercept and modify downloaded dependencies or code during the build process, leading to remote code execution and supply chain compromise.

AnalysisAI

Wazuh provisioning scripts and container build environments disable SSL/TLS certificate validation by invoking curl with the -k/--insecure flag, enabling man-in-the-middle attackers to intercept and modify downloaded dependencies during the build process and achieve remote code execution within the agent build infrastructure and supply chain. Unauthenticated network attackers with positioning on the network path can exploit this with moderate complexity to compromise the integrity of Wazuh agent builds, affecting all downstream deployments. No public exploit code or active exploitation has been confirmed at the time of analysis.

Technical ContextAI

The vulnerability stems from improper implementation of CWE-295 (Improper Certificate Validation), a root cause class affecting cryptographic and transport security. Wazuh provisioning scripts and Dockerfiles used in agent build environments invoke curl with the -k or --insecure flag, which explicitly disables hostname and certificate verification in SSL/TLS connections. This allows any attacker positioned on the network path (between the build system and remote package repositories or dependency servers) to present a self-signed or forged certificate and intercept the connection without triggering validation errors. The affected product, identified via CPE as cpe:2.3:a:wazuh:wazuh_provisioning_scripts_(agent_build_environment):*:*:*:*:*:*:*:*, encompasses the build infrastructure scripts that bootstrap and construct Wazuh agents. During build execution, these insecure curl invocations download code and dependencies, creating a critical supply chain injection point where adversaries can substitute malicious payloads for legitimate artifacts.

RemediationAI

Remove or replace all instances of curl invocations with the -k, --insecure, or equivalent certificate-disabling flags in provisioning scripts and Dockerfiles. Replace them with curl commands that perform full certificate validation (the default behavior when no insecure flags are present) or explicitly use --cacert to pinpoint trusted certificate authority bundles. For build environments using package managers or artifact repositories, configure the underlying tools (apt, yum, pip, npm, etc.) to use trusted certificate stores rather than bypassing validation at the curl layer. Immediately audit all agent builds produced using the vulnerable scripts and consider re-building with patched provisioning code. For Wazuh deployments already using agents built from insecure provisioning scripts, implement network segmentation to isolate build systems from untrusted networks and enforce certificate pinning or proxy validation where feasible. Consult the Wazuh security advisory at https://github.com/wazuh/wazuh/security/advisories/GHSA-wvg9-7q49-c7mg for specific patched versions and deployment guidance once available.

Share

EUVD-2025-209107 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy