Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-62790

CVE-2025-62790: Wazuh Platform DOS Vulnerability

CVE-2025-62790 is a denial of service flaw in Wazuh platform that allows compromised agents to crash analysisd. This post covers technical details, affected versions, security impact, and mitigation.

Published:

CVE-2025-62790 Overview

CVE-2025-62790 is a denial-of-service vulnerability in Wazuh, an open source platform for threat prevention, detection, and response. The flaw resides in the fim_fetch_attributes_state() function, which fails to validate whether the time_string argument is NULL before passing it to strlen(). A compromised agent can send a specially crafted message to the Wazuh manager, triggering a null pointer dereference that crashes the analysisd process. The crash makes the manager's analysis pipeline unavailable. The issue is tracked under [CWE-252: Unchecked Return Value] and is fixed in Wazuh 4.11.0.

Critical Impact

A compromised agent can crash the Wazuh manager's analysisd process, disabling threat detection and log analysis across the monitored estate.

Affected Products

  • Wazuh versions prior to 4.11.0
  • Wazuh manager component (analysisd)
  • Deployments accepting messages from agents that may be compromised

Discovery Timeline

Technical Details for CVE-2025-62790

Vulnerability Analysis

The vulnerability lives in the File Integrity Monitoring (FIM) decoding path of analysisd on the Wazuh manager. The fim_fetch_attributes_state() function extracts attribute fields from agent messages, including a time_string value used to record event timestamps. The implementation calls strlen(time_string) without first verifying that the pointer is non-NULL. When an agent sends a FIM message that omits or malforms the corresponding field, the parser returns NULL, and the subsequent strlen() call dereferences a null pointer. This terminates the analysisd daemon, halting alert correlation, rule matching, and downstream forwarding to the Wazuh indexer.

Root Cause

The defect is a missing input validation check classified as [CWE-252]. The function consumes a parsed value without confirming the parser succeeded. Standard C library functions like strlen() assume a valid string pointer; passing NULL produces undefined behavior, which on Linux results in a SIGSEGV and process termination.

Attack Vector

Exploitation requires the ability to deliver an agent-formatted message to the Wazuh manager. An attacker who compromises any registered agent, or who steals agent credentials, can craft a FIM event with a missing time_string attribute and submit it over the agent communication channel. No authentication beyond the agent enrollment key is required, and no user interaction is needed. Each crafted message kills analysisd, and repeated submissions sustain the denial-of-service condition.

The vulnerability mechanism is described in the Wazuh Security Advisory. No public proof-of-concept code is currently available.

Detection Methods for CVE-2025-62790

Indicators of Compromise

  • Unexpected termination of the wazuh-analysisd process with segmentation fault entries in /var/ossec/logs/ossec.log
  • Gaps in alert generation despite agents continuing to report
  • Repeated analysisd restarts triggered by wazuh-manager service supervision
  • Malformed FIM event payloads originating from a single or small set of agents

Detection Strategies

  • Monitor the Wazuh manager for analysisd crash signatures and core dumps in system logs
  • Correlate agent message timestamps against analysisd restart events to identify the source agent
  • Inspect agent FIM event streams for messages with missing or malformed time_string fields
  • Alert on Wazuh manager service availability transitions using external uptime monitoring

Monitoring Recommendations

  • Forward Wazuh manager system logs to an independent SIEM so visibility survives analysisd outages
  • Track agent registration changes and flag agents producing parser errors at elevated rates
  • Establish a baseline for normal analysisd uptime and alert on deviations

How to Mitigate CVE-2025-62790

Immediate Actions Required

  • Upgrade all Wazuh manager instances to version 4.11.0 or later
  • Audit registered agents and revoke keys for any host suspected of compromise
  • Restrict the agent communication port (default 1514/udp and 1514/tcp) to known agent network ranges
  • Review supervision settings to ensure analysisd automatically restarts after crashes while incident response proceeds

Patch Information

The vulnerability is fixed in Wazuh 4.11.0. The fix adds a NULL check on time_string before invoking strlen() within fim_fetch_attributes_state(). Refer to the Wazuh GitHub Security Advisory GHSA-9xj3-vc52-48p9 for the official remediation guidance.

Workarounds

  • Limit network exposure of the Wazuh manager agent listener to trusted segments using firewall rules
  • Rotate agent enrollment keys and re-enroll agents to reduce the chance of compromised credentials being reused
  • Increase rate limits and apply input filtering at the network layer between agents and the manager where feasible
bash
# Verify Wazuh manager version and upgrade
/var/ossec/bin/wazuh-control info | grep WAZUH_VERSION

# On Debian/Ubuntu
apt-get update && apt-get install --only-upgrade wazuh-manager=4.11.0-1

# On RHEL/CentOS
yum update wazuh-manager-4.11.0-1

# Restart and confirm analysisd is running
systemctl restart wazuh-manager
systemctl status wazuh-manager

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.