CVE-2025-62790 Overview
CVE-2025-62790 is a denial-of-service vulnerability in Wazuh, an open source platform for threat prevention, detection, and response. The flaw resides in the fim_fetch_attributes_state() function, which fails to validate whether the time_string argument is NULL before passing it to strlen(). A compromised agent can send a specially crafted message to the Wazuh manager, triggering a null pointer dereference that crashes the analysisd process. The crash makes the manager's analysis pipeline unavailable. The issue is tracked under [CWE-252: Unchecked Return Value] and is fixed in Wazuh 4.11.0.
Critical Impact
A compromised agent can crash the Wazuh manager's analysisd process, disabling threat detection and log analysis across the monitored estate.
Affected Products
- Wazuh versions prior to 4.11.0
- Wazuh manager component (analysisd)
- Deployments accepting messages from agents that may be compromised
Discovery Timeline
- 2025-10-29 - CVE-2025-62790 published to NVD
- 2025-11-03 - Last updated in NVD database
- Patch availability - Fixed in Wazuh 4.11.0 per the GitHub Security Advisory GHSA-9xj3-vc52-48p9
Technical Details for CVE-2025-62790
Vulnerability Analysis
The vulnerability lives in the File Integrity Monitoring (FIM) decoding path of analysisd on the Wazuh manager. The fim_fetch_attributes_state() function extracts attribute fields from agent messages, including a time_string value used to record event timestamps. The implementation calls strlen(time_string) without first verifying that the pointer is non-NULL. When an agent sends a FIM message that omits or malforms the corresponding field, the parser returns NULL, and the subsequent strlen() call dereferences a null pointer. This terminates the analysisd daemon, halting alert correlation, rule matching, and downstream forwarding to the Wazuh indexer.
Root Cause
The defect is a missing input validation check classified as [CWE-252]. The function consumes a parsed value without confirming the parser succeeded. Standard C library functions like strlen() assume a valid string pointer; passing NULL produces undefined behavior, which on Linux results in a SIGSEGV and process termination.
Attack Vector
Exploitation requires the ability to deliver an agent-formatted message to the Wazuh manager. An attacker who compromises any registered agent, or who steals agent credentials, can craft a FIM event with a missing time_string attribute and submit it over the agent communication channel. No authentication beyond the agent enrollment key is required, and no user interaction is needed. Each crafted message kills analysisd, and repeated submissions sustain the denial-of-service condition.
The vulnerability mechanism is described in the Wazuh Security Advisory. No public proof-of-concept code is currently available.
Detection Methods for CVE-2025-62790
Indicators of Compromise
- Unexpected termination of the wazuh-analysisd process with segmentation fault entries in /var/ossec/logs/ossec.log
- Gaps in alert generation despite agents continuing to report
- Repeated analysisd restarts triggered by wazuh-manager service supervision
- Malformed FIM event payloads originating from a single or small set of agents
Detection Strategies
- Monitor the Wazuh manager for analysisd crash signatures and core dumps in system logs
- Correlate agent message timestamps against analysisd restart events to identify the source agent
- Inspect agent FIM event streams for messages with missing or malformed time_string fields
- Alert on Wazuh manager service availability transitions using external uptime monitoring
Monitoring Recommendations
- Forward Wazuh manager system logs to an independent SIEM so visibility survives analysisd outages
- Track agent registration changes and flag agents producing parser errors at elevated rates
- Establish a baseline for normal analysisd uptime and alert on deviations
How to Mitigate CVE-2025-62790
Immediate Actions Required
- Upgrade all Wazuh manager instances to version 4.11.0 or later
- Audit registered agents and revoke keys for any host suspected of compromise
- Restrict the agent communication port (default 1514/udp and 1514/tcp) to known agent network ranges
- Review supervision settings to ensure analysisd automatically restarts after crashes while incident response proceeds
Patch Information
The vulnerability is fixed in Wazuh 4.11.0. The fix adds a NULL check on time_string before invoking strlen() within fim_fetch_attributes_state(). Refer to the Wazuh GitHub Security Advisory GHSA-9xj3-vc52-48p9 for the official remediation guidance.
Workarounds
- Limit network exposure of the Wazuh manager agent listener to trusted segments using firewall rules
- Rotate agent enrollment keys and re-enroll agents to reduce the chance of compromised credentials being reused
- Increase rate limits and apply input filtering at the network layer between agents and the manager where feasible
# Verify Wazuh manager version and upgrade
/var/ossec/bin/wazuh-control info | grep WAZUH_VERSION
# On Debian/Ubuntu
apt-get update && apt-get install --only-upgrade wazuh-manager=4.11.0-1
# On RHEL/CentOS
yum update wazuh-manager-4.11.0-1
# Restart and confirm analysisd is running
systemctl restart wazuh-manager
systemctl status wazuh-manager
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

