CVE-2025-15612
Published: 27 March 2026
Summary
CVE-2025-15612 is a medium-severity Improper Certificate Validation (CWE-295) vulnerability in Wazuh Wazuh. Its CVSS base score is 4.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-8 (Transmission Confidentiality and Integrity) and SI-7 (Software, Firmware, and Information Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Protects confidentiality and integrity of transmissions using cryptographic mechanisms with proper certificate validation, directly preventing MITM attacks during curl downloads in Wazuh provisioning scripts and Dockerfiles.
Employs integrity verification for software and information, including checksums or signatures on downloaded dependencies, to detect and block tampered code from supply chain compromise.
Verifies authenticity of supply chain components prior to use, mitigating risks from modified dependencies intercepted via insecure transport in the build process.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables supply chain compromise by allowing MITM tampering of build-time dependencies due to disabled certificate validation.
NVD Description
Wazuh provisioning scripts and Dockerfiles contain an insecure transport vulnerability where curl is invoked with the -k/--insecure flag, disabling SSL/TLS certificate validation. Attackers with network access can perform man-in-the-middle attacks to intercept and modify downloaded dependencies or code during the…
more
build process, leading to remote code execution and supply chain compromise.
Deeper analysisAI
CVE-2025-15612 is an insecure transport vulnerability affecting Wazuh provisioning scripts and Dockerfiles. The issue arises because curl is invoked with the -k/--insecure flag, which disables SSL/TLS certificate validation when downloading dependencies or code during the build process. This flaw is associated with CWE-295 (Improper Certificate Validation) and CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), and it has a CVSS v3.1 base score of 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
Attackers with network access who can position themselves to intercept traffic between the build environment and remote servers can exploit this vulnerability via man-in-the-middle (MITM) attacks. By doing so, they can modify downloaded dependencies or code, potentially leading to remote code execution (RCE) and supply chain compromise in the resulting Wazuh builds.
Mitigation details are provided in the official advisories, including the Wazuh GitHub Security Advisory at https://github.com/wazuh/wazuh/security/advisories/GHSA-wvg9-7q49-c7mg and the VulnCheck advisory at https://www.vulncheck.com/advisories/various-uses-of-curl-without-verifying-the-authenticity-of-the-ssl-certificate-leading-to-mitm-rce-in-build-infrastructure.
Details
- CWE(s)