CVE-2025-15616
Published: 27 March 2026
Summary
CVE-2025-15616 is a medium-severity Code Injection (CWE-94) vulnerability in Wazuh Wazuh. Its CVSS base score is 6.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the shell injection and untrusted search path flaws by requiring timely remediation through patching to Wazuh 4.8.0 or later as specified in the advisory.
Prevents arbitrary command execution by enforcing input validation and error handling for configuration files, SMTP server tags, and script parameters vulnerable to shell injection.
Limits the impact of PR:H exploitation requirement by ensuring only approved privileges are granted to processes and users interacting with vulnerable Wazuh components.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Shell injection in Wazuh components directly enables remote arbitrary command execution (T1059.004) via network-accessible config/SMTP/script interfaces (T1190).
NVD Description
Wazuh wazuh-agent and wazuh-manager versions 2.1.0 before 4.8.0 contain multiple shell injection and untrusted search path vulnerabilities that allow attackers to execute arbitrary commands through various components including logcollector configuration, maild SMTP server tags, and Kaspersky AR script parameters. Attackers…
more
can exploit these vulnerabilities by injecting malicious commands through configuration files, SMTP server settings, and custom flags to achieve remote code execution on affected systems.
Deeper analysisAI
CVE-2025-15616 is a set of multiple shell injection and untrusted search path vulnerabilities (CWE-94) affecting Wazuh wazuh-agent and wazuh-manager versions from 2.1.0 up to but not including 4.8.0. These flaws exist in various components, including logcollector configuration, maild SMTP server tags, and Kaspersky AR script parameters, allowing attackers to execute arbitrary commands on impacted systems.
Attackers with high privileges (PR:H) and network access can exploit the vulnerability with low complexity (CVSS 6.7: AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H). By injecting malicious commands through configuration files, SMTP server settings, or custom flags, they achieve remote code execution on affected Wazuh agent or manager hosts.
The Wazuh security advisory at https://github.com/wazuh/wazuh/security/advisories/GHSA-522v-p59v-58gm and VulnCheck analysis at https://www.vulncheck.com/advisories/multiple-vulnerabilities-related-to-shell-injection-and-path-traversal-flaws provide details on mitigation, with upgrading to Wazuh version 4.8.0 or later resolving the issues.
Details
- CWE(s)