CVE-2025-62789 Overview
CVE-2025-62789 is a denial-of-service vulnerability in Wazuh, an open source platform for threat prevention, detection, and response. The flaw exists in the fim_alert() implementation, which fails to verify that the return value of ctime_r is non-NULL before passing it to strdup(). A compromised Wazuh agent can send a specially crafted message to the Wazuh manager, triggering a NULL pointer dereference in analysisd. The crash makes the manager's analysis daemon unavailable, disrupting detection and alerting capabilities. Wazuh fixed this issue in version 4.11.0. The weakness is classified under [CWE-252] (Unchecked Return Value).
Critical Impact
A compromised agent can crash the Wazuh manager's analysisd process, disabling threat detection and alerting across the monitored environment.
Affected Products
- Wazuh versions prior to 4.11.0
- Wazuh Manager (analysisd component)
- Deployments accepting messages from Wazuh agents
Discovery Timeline
- 2025-10-29 - CVE-2025-62789 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-62789
Vulnerability Analysis
The vulnerability resides in the fim_alert() function within the Wazuh manager's analysisd daemon. File Integrity Monitoring (FIM) alerts received from agents are processed using ctime_r() to format timestamp values. The standard library function ctime_r() can return NULL when given an invalid time_t value. Wazuh's implementation does not validate the return pointer before passing it to strdup(). Calling strdup(NULL) invokes strlen(NULL), which dereferences a NULL pointer and crashes the process.
Because analysisd is the central correlation and alerting engine, its termination halts rule evaluation, alert generation, and event archiving. Operators lose visibility until the daemon is restarted, and a persistent attacker can repeat the trigger to keep it offline.
Root Cause
The defect is an unchecked library return value [CWE-252]. The code assumes ctime_r() always succeeds. Supplying a malformed or out-of-range timestamp through an agent message produces a NULL return that the subsequent strdup() call cannot tolerate.
Attack Vector
Exploitation requires an attacker to control or compromise a Wazuh agent already enrolled with the manager. The attacker crafts an FIM event containing a timestamp value that causes ctime_r() to fail. The manager parses the message, calls fim_alert(), and crashes when strdup() dereferences the NULL pointer. No authentication beyond the existing agent registration is required, and no user interaction is involved.
Refer to the Wazuh GitHub Security Advisory GHSA-8rvq-mm2f-8q22 for vendor details.
Detection Methods for CVE-2025-62789
Indicators of Compromise
- Unexpected termination or repeated restarts of the wazuh-analysisd process on the manager.
- Gaps in alert generation or event correlation timelines without a corresponding configuration change.
- Malformed FIM event messages originating from a single agent immediately preceding daemon failure.
Detection Strategies
- Monitor ossec.log and analysisd logs for crash signatures, segmentation faults, or abnormal exit codes.
- Correlate agent message volume and content patterns to identify outliers sending malformed FIM payloads.
- Track the running state of wazuh-analysisd via systemd or process supervisors and alert on unscheduled exits.
Monitoring Recommendations
- Forward Wazuh manager system logs to a central SIEM and create rules for analysisd crashes.
- Baseline normal FIM event structure per agent and flag deviations in timestamp fields.
- Audit agent enrollments and revoke keys for agents exhibiting suspicious or anomalous behavior.
How to Mitigate CVE-2025-62789
Immediate Actions Required
- Upgrade all Wazuh manager instances to version 4.11.0 or later.
- Inventory and rotate agent keys for any agents suspected of compromise.
- Restrict network access to the manager's agent communication port (default 1514) to trusted agent subnets only.
Patch Information
The vulnerability is fixed in Wazuh 4.11.0. The patch adds a NULL check on the ctime_r() return value before invoking strdup() inside fim_alert(). Apply the official release from the Wazuh GitHub Security Advisory.
Workarounds
- Limit agent enrollment to vetted hosts and enforce strict key management to reduce the population of agents capable of triggering the bug.
- Configure process supervision to automatically restart wazuh-analysisd if it terminates, reducing the window of unavailability.
- Network-segment the Wazuh manager so only authorized agents can reach the manager's listening ports.
# Upgrade Wazuh manager on Debian/Ubuntu to a fixed release
sudo apt-get update
sudo apt-get install --only-upgrade wazuh-manager
systemctl restart wazuh-manager
/var/ossec/bin/wazuh-control info | grep VERSION
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
