CVE-2025-30201 Overview
CVE-2025-30201 is a critical vulnerability in Wazuh, a free and open source platform used for threat prevention, detection, and response. Prior to version 4.13.0, authenticated attackers can exploit a flaw in the Wazuh Agent that allows them to force NTLM authentication through malicious UNC paths embedded in various agent configuration settings. This vulnerability can lead to NTLM relay attacks, potentially resulting in privilege escalation and remote code execution within affected environments.
Critical Impact
Authenticated attackers can leverage malicious UNC paths to coerce NTLM authentication, enabling relay attacks that may lead to full system compromise through privilege escalation and remote code execution.
Affected Products
- Wazuh Agent versions prior to 4.13.0
- Wazuh platform deployments on Windows systems
- Environments utilizing Wazuh Agent configuration settings that accept file paths
Discovery Timeline
- 2025-11-21 - CVE-2025-30201 published to NVD
- 2025-12-02 - Last updated in NVD database
Technical Details for CVE-2025-30201
Vulnerability Analysis
This vulnerability (CWE-73: External Control of File Name or Path) occurs when the Wazuh Agent improperly handles file path inputs in configuration settings. The agent fails to validate whether specified paths point to network locations (UNC paths) versus local file system resources. When an attacker with authenticated access to agent configuration settings supplies a malicious UNC path (e.g., \\attacker-server\share), the Windows operating system automatically attempts NTLM authentication to the remote server.
The attack chain unfolds when the Wazuh Agent process attempts to access the attacker-controlled network resource, causing Windows to send NTLM authentication credentials. These credentials can be captured and relayed to other systems or services, bypassing authentication and potentially gaining elevated privileges on domain-joined systems.
Root Cause
The root cause stems from insufficient validation of file paths in the Wazuh Agent configuration handling code. The agent accepts user-controllable path values without checking whether they reference network drives or UNC paths. On Windows systems, accessing a UNC path triggers automatic NTLM authentication negotiation, which can be exploited by attackers who can manipulate these configuration values.
The fix introduces network drive detection functionality by adding the -lmpr library to the Windows build process. This library provides functions for working with Windows Networking (WNet) APIs, enabling the agent to properly identify and restrict access to network locations.
Attack Vector
The attack requires authenticated access to modify Wazuh Agent configuration settings. Once achieved, the attacker injects a malicious UNC path pointing to an attacker-controlled SMB server. When the agent processes the configuration and attempts to access the path:
- Windows initiates NTLM authentication to the attacker's server
- The attacker captures the NTLM challenge-response
- The captured credentials are relayed to target systems (NTLM relay attack)
- Successful relay can grant the attacker access with the victim's privileges
The security patch adds validation to detect network drives and UNC paths, preventing the agent from processing these malicious path values.
// Security patch in src/Makefile adding network drive detection support
// Source: https://github.com/wazuh/wazuh/commit/688972da589e5d40d2a81bcd738240303a3dc45a
winagent: external win32/libwinpthread-1.dll win32/libwinpthreadpatched.a ${WAZUH_LIB_OUTPUT_PATH}${LIBGCC_S_NAME} ${WAZUH_LIB_OUTPUT_PATH}${LIBSTDCPP_NAME} win32/version-dll.o win32/version-app.o
${MAKE} ${WAZUHEXT_LIB} CFLAGS="-DCLIENT -D_POSIX_C_SOURCE -DWIN32 -DPSAPI_VERSION=1" LIBS="-lwsock32 -lws2_32 -lcrypt32"
${MAKE} ${WINDOWS_LIBS} CFLAGS="-DCLIENT -D_POSIX_C_SOURCE -DWIN32 -DPSAPI_VERSION=1"
- ${MAKE} ${WINDOWS_BINS} CFLAGS="-DCLIENT -D_POSIX_C_SOURCE -DWIN32 -DPSAPI_VERSION=1" LIBS="-lwsock32 -lwevtapi -lshlwapi -lcomctl32 -ladvapi32 -lkernel32 -lpsapi -lgdi32 -liphlpapi -lws2_32 -lcrypt32 -lwintrust"
- ${MAKE} ${WINDOWS_ACTIVE_RESPONSES} CFLAGS="-DCLIENT -D_POSIX_C_SOURCE -DWIN32 -DPSAPI_VERSION=1" LIBS="-lwsock32 -lwevtapi -lshlwapi -lcomctl32 -ladvapi32 -lkernel32 -lpsapi -lgdi32 -liphlpapi -lws2_32 -lcrypt32 -lwintrust"
+ ${MAKE} ${WINDOWS_BINS} CFLAGS="-DCLIENT -D_POSIX_C_SOURCE -DWIN32 -DPSAPI_VERSION=1" LIBS="-lwsock32 -lwevtapi -lshlwapi -lcomctl32 -ladvapi32 -lkernel32 -lpsapi -lgdi32 -liphlpapi -lws2_32 -lcrypt32 -lwintrust -lmpr"
+ ${MAKE} ${WINDOWS_ACTIVE_RESPONSES} CFLAGS="-DCLIENT -D_POSIX_C_SOURCE -DWIN32 -DPSAPI_VERSION=1" LIBS="-lwsock32 -lwevtapi -lshlwapi -lcomctl32 -ladvapi32 -lkernel32 -lpsapi -lgdi32 -liphlpapi -lws2_32 -lcrypt32 -lwintrust -lmpr"
cd win32/ && ./unix2dos.pl ossec.conf > default-ossec.conf
cd win32/ && ./unix2dos.pl help.txt > help_win.txt
cd win32/ && ./unix2dos.pl ../../etc/internal_options.conf > internal_options.conf
Source: GitHub Commit Details
Detection Methods for CVE-2025-30201
Indicators of Compromise
- Wazuh Agent configuration files containing UNC paths (e.g., \\hostname\share patterns)
- Outbound SMB traffic (TCP port 445) from Wazuh Agent processes to unexpected destinations
- Windows Security Event ID 4648 (explicit credential logon) originating from Wazuh Agent services
- Unexpected NTLM authentication attempts captured in network traffic
Detection Strategies
- Monitor Wazuh Agent configuration changes for UNC path or network drive references in path-related settings
- Deploy network monitoring to detect SMB/NTLM traffic from Wazuh Agent processes to non-standard destinations
- Review Windows Security logs for NTLM authentication events associated with the Wazuh Agent service account
- Implement file integrity monitoring on Wazuh Agent configuration files
Monitoring Recommendations
- Enable detailed logging for Wazuh Agent configuration modifications
- Configure network segmentation rules to alert on Wazuh Agent outbound SMB connections
- Establish baseline network behavior for Wazuh Agent processes and alert on deviations
- Monitor for privilege escalation attempts following NTLM authentication events
How to Mitigate CVE-2025-30201
Immediate Actions Required
- Upgrade Wazuh Agent to version 4.13.0 or later immediately
- Audit all Wazuh Agent configuration files for UNC paths or network share references
- Restrict access to Wazuh Agent configuration to only essential administrators
- Implement network segmentation to prevent Wazuh Agent from initiating outbound SMB connections
Patch Information
Wazuh has released version 4.13.0 which addresses this vulnerability by implementing network drive detection and validation. The fix introduces checks using the Windows Networking (WNet) API via the -lmpr library to identify and block UNC paths in configuration settings.
For detailed patch information, review the GitHub Security Advisory and the associated pull request.
Workarounds
- Implement strict access controls on Wazuh Agent configuration files and management interfaces
- Deploy network firewall rules blocking outbound SMB traffic (TCP 445) from Wazuh Agent hosts to untrusted destinations
- Enable SMB signing and consider disabling NTLM authentication where feasible in the environment
- Monitor and audit all configuration changes to Wazuh Agents pending the upgrade
# Example: Block outbound SMB from Wazuh Agent using Windows Firewall
netsh advfirewall firewall add rule name="Block Wazuh Agent SMB Outbound" ^
dir=out action=block protocol=TCP localport=any remoteport=445 ^
program="C:\Program Files (x86)\ossec-agent\ossec-agent.exe"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
