Cyber Resilience

CVE-2025-15617

HighPublic PoC

Published: 27 March 2026

Published
27 March 2026
Modified
31 March 2026
KEV Added
Patch
CVSS Score v4 8.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0039 30.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-15617 is a high-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Wazuh Wazuh. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked at the 30.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SA-10 (Developer Configuration Management).

Deeper analysis

CVE-2025-15617, published on 2026-03-27, is an exposure vulnerability (CWE-522) in Wazuh version 4.12.0. The issue resides in GitHub Actions workflow artifacts, which inadvertently allow attackers to extract the GITHUB_TOKEN from uploaded artifacts. This token exposure enables unauthorized access within the workflow's limited time window.

The vulnerability can be exploited remotely (AV:N) by unauthenticated attackers (PR:N) with no user interaction (UI:N), though it requires high attack complexity (AC:H). Successful exploitation grants the GITHUB_TOKEN's permissions, allowing actions such as pushing malicious commits or altering release tags in the Wazuh repository. The CVSS v3.1 base score is 6.5 (C:N/I:H/A:L/S:U), reflecting moderate integrity and low availability impact.

Advisories detailing mitigation are available from the Wazuh GitHub security page at https://github.com/wazuh/wazuh/security/advisories/GHSA-6xqr-4q5g-xc7x and VulnCheck at https://www.vulncheck.com/advisories/exposure-of-the-github-token-in-wazuh-workflow-run-artifact.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workflow artifacts that allows attackers to extract the GITHUB_TOKEN from uploaded artifacts. Attackers can use the exposed token within a limited time window to perform unauthorized actions such as pushing…

more

malicious commits or altering release tags.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Exposed GITHUB_TOKEN in workflow artifacts directly enables credential theft from files and subsequent supply chain compromise via malicious commits/tags.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-62786Same product: Wazuh Wazuh
CVE-2025-15616Same product: Wazuh Wazuh
CVE-2025-15612Same product: Wazuh Wazuh
CVE-2024-47770Same product: Wazuh Wazuh
CVE-2025-24016Same product: Wazuh Wazuh
CVE-2026-25772Same product: Wazuh Wazuh
CVE-2026-32983Same product: Wazuh Wazuh
CVE-2026-30893Same product: Wazuh Wazuh
CVE-2025-15615Same product: Wazuh Wazuh
CVE-2026-25771Same product: Wazuh Wazuh

Affected Assets

wazuh
wazuh
4.12.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SA-10 requires developers to perform secure configuration management during development, directly preventing misconfigurations in GitHub Actions workflows that expose the GITHUB_TOKEN in artifacts.

prevent

IA-5 mandates protecting authenticator content from unauthorized disclosure and modification, comprehensively addressing the exposure of the GITHUB_TOKEN.

prevent

AC-6 enforces least privilege on the GITHUB_TOKEN, limiting the scope of unauthorized actions like pushing commits even if the token is extracted.

References