CVE-2025-15617
Published: 27 March 2026
Summary
CVE-2025-15617 is a high-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Wazuh Wazuh. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked at the 30.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SA-10 (Developer Configuration Management).
Deeper analysis
CVE-2025-15617, published on 2026-03-27, is an exposure vulnerability (CWE-522) in Wazuh version 4.12.0. The issue resides in GitHub Actions workflow artifacts, which inadvertently allow attackers to extract the GITHUB_TOKEN from uploaded artifacts. This token exposure enables unauthorized access within the workflow's limited time window.
The vulnerability can be exploited remotely (AV:N) by unauthenticated attackers (PR:N) with no user interaction (UI:N), though it requires high attack complexity (AC:H). Successful exploitation grants the GITHUB_TOKEN's permissions, allowing actions such as pushing malicious commits or altering release tags in the Wazuh repository. The CVSS v3.1 base score is 6.5 (C:N/I:H/A:L/S:U), reflecting moderate integrity and low availability impact.
Advisories detailing mitigation are available from the Wazuh GitHub security page at https://github.com/wazuh/wazuh/security/advisories/GHSA-6xqr-4q5g-xc7x and VulnCheck at https://www.vulncheck.com/advisories/exposure-of-the-github-token-in-wazuh-workflow-run-artifact.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-209105
Vulnerability details
Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workflow artifacts that allows attackers to extract the GITHUB_TOKEN from uploaded artifacts. Attackers can use the exposed token within a limited time window to perform unauthorized actions such as pushing…
more
malicious commits or altering release tags.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Exposed GITHUB_TOKEN in workflow artifacts directly enables credential theft from files and subsequent supply chain compromise via malicious commits/tags.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SA-10 requires developers to perform secure configuration management during development, directly preventing misconfigurations in GitHub Actions workflows that expose the GITHUB_TOKEN in artifacts.
IA-5 mandates protecting authenticator content from unauthorized disclosure and modification, comprehensively addressing the exposure of the GITHUB_TOKEN.
AC-6 enforces least privilege on the GITHUB_TOKEN, limiting the scope of unauthorized actions like pushing commits even if the token is extracted.