Cyber Resilience

CVE-2025-62786

MediumPublic PoC

Published: 29 October 2025

Published
29 October 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0076 73.9th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-62786 is a medium-severity Buffer Underflow (CWE-124) vulnerability in Wazuh Wazuh. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-62786 is a heap-based out-of-bounds write vulnerability in the decode_win_permissions function of Wazuh, a free and open-source platform used for threat prevention, detection, and response. The flaw occurs when a NULL byte is written two bytes before the start of the buffer allocated to decoded_it, affecting the Wazuh manager component. It is classified under CWE-124 and has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A compromised Wazuh agent or an attacker able to craft and send a specially crafted agent message to the Wazuh manager can potentially exploit this issue to achieve remote code execution on the manager. Exploitability depends on the specifics of the respective heap allocator.

The vulnerability is fixed in Wazuh version 4.10.2. Additional details are available in the Wazuh security advisory at https://github.com/wazuh/wazuh/security/advisories/GHSA-2c8r-p6r5-xxmr and the fixing commit at https://github.com/wazuh/wazuh/commit/2257d7998aaff34263169d16f4afc491564a771c.

EU & UK References

Vulnerability details

Wazuh is a free and open source platform used for threat prevention, detection, and response. A heap-based out-of-bounds WRITE occurs in decode_win_permissions, resulting in writing a NULL byte 2 bytes before the start of the buffer allocated to decoded_it. A…

more

compromised agent can potentially leverage this issue to perform remote code execution, by sending a specially crafted message to the wazuh manager. An attacker who is able to craft and send an agent message to the wazuh manager can leverage this issue to potentially achieve remote code execution on the wazuh manager (the exploitability of this vulnerability depends on the specifics of the respective heap allocator). This vulnerability is fixed in 4.10.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows remote code execution via a specially crafted agent message to the network-accessible Wazuh manager, directly mapping to exploitation of a public-facing or remotely exploitable application/service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25790Same product: Wazuh Wazuh
CVE-2026-28221Same product: Wazuh Wazuh
CVE-2025-24016Same product: Wazuh Wazuh
CVE-2025-15616Same product: Wazuh Wazuh
CVE-2026-25770Same product: Wazuh Wazuh
CVE-2024-35177Same product: Wazuh Wazuh
CVE-2024-47770Same product: Wazuh Wazuh
CVE-2026-32983Same product: Wazuh Wazuh
CVE-2026-25769Same product: Wazuh Wazuh
CVE-2026-30893Same product: Wazuh Wazuh

Affected Assets

wazuh
wazuh
≤ 4.10.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Applying the Wazuh 4.10.2 patch directly remediates the heap-based out-of-bounds write in decode_win_permissions, preventing exploitation via crafted agent messages.

prevent

Validating the syntax, semantics, and content of incoming agent messages prevents specially crafted inputs from triggering the out-of-bounds write in decode_win_permissions.

prevent

Heap memory protections such as guard pages or safe unlinking mitigate remote code execution from the out-of-bounds write vulnerability in decode_win_permissions.

References