Plattform
linux
Komponente
wazuh
Behoben in
4.8.0
4.8.0
CVE-2025-15616 describes a Command Injection vulnerability discovered in Wazuh Agent and Manager. This flaw allows attackers to execute arbitrary commands on affected systems by exploiting vulnerabilities in logcollector configurations, maild SMTP server tags, and Kaspersky AR script parameters. The vulnerability impacts Wazuh versions 2.1.0 through 4.8.0, and a fix is available in version 4.8.0.
Successful exploitation of CVE-2025-15616 could grant an attacker complete control over the Wazuh Agent or Manager host. This includes the ability to execute arbitrary commands, steal sensitive data (such as log files and configuration information), install malware, and potentially pivot to other systems within the network. The attack surface is broad, encompassing multiple configuration points, increasing the likelihood of exploitation. The potential for lateral movement is significant, as a compromised Wazuh agent could be used to gain access to other systems monitored by the Wazuh Manager. The blast radius extends to any data processed or monitored by Wazuh, making this a critical vulnerability for organizations relying on Wazuh for security monitoring.
CVE-2025-15616 was publicly disclosed on 2026-03-27. The vulnerability's impact and broad attack surface suggest a medium probability of exploitation (EPSS score pending). No public proof-of-concept exploits have been publicly released at the time of this writing, but the Command Injection nature of the vulnerability makes it likely that exploits will emerge. Monitor security advisories and threat intelligence feeds for updates.
Organizations heavily reliant on Wazuh for security information and event management (SIEM) are particularly at risk. Environments with custom Wazuh configurations, including those utilizing Kaspersky AR scripts, face a heightened risk due to the increased attack surface. Shared hosting environments where Wazuh agents are deployed on multi-tenant systems are also vulnerable.
• linux / server:
journalctl -u wazuh-agent -g 'command injection'
journalctl -u wazuh-manager -g 'command injection'• linux / server:
ps aux | grep -i 'wazuh-agent' | grep -i 'command injection'
ps aux | grep -i 'wazuh-manager' | grep -i 'command injection'• linux / server:
find /etc/wazuh/ -name '*.conf' -print0 | xargs -0 grep -i 'command injection'disclosure
Exploit-Status
EPSS
0.15% (36% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-15616 is to upgrade Wazuh Agent and Manager to version 4.8.0 or later, which contains the necessary fixes. If immediate upgrading is not possible, consider temporarily restricting access to configuration files and SMTP server settings. Review and validate all custom Kaspersky AR scripts for malicious code. Implement strict input validation and sanitization for any user-supplied data used in Wazuh configurations. Consider using a Web Application Firewall (WAF) to filter potentially malicious requests targeting Wazuh components, although this is not a complete solution. Monitor Wazuh logs for suspicious activity, particularly commands executed by the logcollector or maild processes.
Aktualisieren Sie Wazuh Agent und Manager auf Version 4.8.0 oder höher. Dies behebt die Command Injection und Untrusted Search Path Schwachstellen. Weitere Details und Upgrade-Anweisungen finden Sie in der Wazuh Sicherheitsmitteilung.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-15616 is a Command Injection vulnerability affecting Wazuh Agent and Manager versions 2.1.0–4.8.0, allowing attackers to execute arbitrary commands through configuration files and other settings.
If you are running Wazuh Agent or Manager versions between 2.1.0 and 4.8.0 (inclusive), you are potentially affected by this vulnerability.
Upgrade Wazuh Agent and Manager to version 4.8.0 or later to remediate the vulnerability. If upgrading is not immediately possible, implement temporary mitigations like restricting access to configuration files.
While no public exploits are currently known, the vulnerability's nature suggests a potential for exploitation. Continuous monitoring is recommended.
Refer to the official Wazuh security advisory for detailed information and updates regarding CVE-2025-15616.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.