CVE-2025-15617
Published: 27 March 2026
Summary
CVE-2025-15617 is a medium-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Wazuh Wazuh. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked at the 7.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SA-10 (Developer Configuration Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SA-10 requires developers to perform secure configuration management during development, directly preventing misconfigurations in GitHub Actions workflows that expose the GITHUB_TOKEN in artifacts.
IA-5 mandates protecting authenticator content from unauthorized disclosure and modification, comprehensively addressing the exposure of the GITHUB_TOKEN.
AC-6 enforces least privilege on the GITHUB_TOKEN, limiting the scope of unauthorized actions like pushing commits even if the token is extracted.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Exposed GITHUB_TOKEN in workflow artifacts directly enables credential theft from files and subsequent supply chain compromise via malicious commits/tags.
NVD Description
Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workflow artifacts that allows attackers to extract the GITHUB_TOKEN from uploaded artifacts. Attackers can use the exposed token within a limited time window to perform unauthorized actions such as pushing…
more
malicious commits or altering release tags.
Deeper analysisAI
CVE-2025-15617, published on 2026-03-27, is an exposure vulnerability (CWE-522) in Wazuh version 4.12.0. The issue resides in GitHub Actions workflow artifacts, which inadvertently allow attackers to extract the GITHUB_TOKEN from uploaded artifacts. This token exposure enables unauthorized access within the workflow's limited time window.
The vulnerability can be exploited remotely (AV:N) by unauthenticated attackers (PR:N) with no user interaction (UI:N), though it requires high attack complexity (AC:H). Successful exploitation grants the GITHUB_TOKEN's permissions, allowing actions such as pushing malicious commits or altering release tags in the Wazuh repository. The CVSS v3.1 base score is 6.5 (C:N/I:H/A:L/S:U), reflecting moderate integrity and low availability impact.
Advisories detailing mitigation are available from the Wazuh GitHub security page at https://github.com/wazuh/wazuh/security/advisories/GHSA-6xqr-4q5g-xc7x and VulnCheck at https://www.vulncheck.com/advisories/exposure-of-the-github-token-in-wazuh-workflow-run-artifact.
Details
- CWE(s)