Cyber Resilience

CVE-2025-15612

MediumPublic PoC

Published: 27 March 2026

Published
27 March 2026
Modified
08 April 2026
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0022 11.8th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-15612 is a medium-severity Improper Certificate Validation (CWE-295) vulnerability in Wazuh Wazuh. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-8 (Transmission Confidentiality and Integrity) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

CVE-2025-15612 is an insecure transport vulnerability affecting Wazuh provisioning scripts and Dockerfiles. The issue arises because curl is invoked with the -k/--insecure flag, which disables SSL/TLS certificate validation when downloading dependencies or code during the build process. This flaw is associated with CWE-295 (Improper Certificate Validation) and CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), and it has a CVSS v3.1 base score of 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Attackers with network access who can position themselves to intercept traffic between the build environment and remote servers can exploit this vulnerability via man-in-the-middle (MITM) attacks. By doing so, they can modify downloaded dependencies or code, potentially leading to remote code execution (RCE) and supply chain compromise in the resulting Wazuh builds.

Mitigation details are provided in the official advisories, including the Wazuh GitHub Security Advisory at https://github.com/wazuh/wazuh/security/advisories/GHSA-wvg9-7q49-c7mg and the VulnCheck advisory at https://www.vulncheck.com/advisories/various-uses-of-curl-without-verifying-the-authenticity-of-the-ssl-certificate-leading-to-mitm-rce-in-build-infrastructure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Wazuh provisioning scripts and Dockerfiles contain an insecure transport vulnerability where curl is invoked with the -k/--insecure flag, disabling SSL/TLS certificate validation. Attackers with network access can perform man-in-the-middle attacks to intercept and modify downloaded dependencies or code during the…

more

build process, leading to remote code execution and supply chain compromise.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

Directly enables supply chain compromise by allowing MITM tampering of build-time dependencies due to disabled certificate validation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-62786Same product: Wazuh Wazuh
CVE-2025-15616Same product: Wazuh Wazuh
CVE-2025-15617Same product: Wazuh Wazuh
CVE-2024-47770Same product: Wazuh Wazuh
CVE-2025-24016Same product: Wazuh Wazuh
CVE-2026-25772Same product: Wazuh Wazuh
CVE-2026-32983Same product: Wazuh Wazuh
CVE-2026-30893Same product: Wazuh Wazuh
CVE-2025-15615Same product: Wazuh Wazuh
CVE-2026-25771Same product: Wazuh Wazuh

Affected Assets

wazuh
wazuh
4.1.3 — 4.14.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Protects confidentiality and integrity of transmissions using cryptographic mechanisms with proper certificate validation, directly preventing MITM attacks during curl downloads in Wazuh provisioning scripts and Dockerfiles.

preventdetect

Employs integrity verification for software and information, including checksums or signatures on downloaded dependencies, to detect and block tampered code from supply chain compromise.

prevent

Verifies authenticity of supply chain components prior to use, mitigating risks from modified dependencies intercepted via insecure transport in the build process.

References