CVE-2025-62786
Published: 29 October 2025
Summary
CVE-2025-62786 is a high-severity Buffer Underflow (CWE-124) vulnerability in Wazuh Wazuh. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Applying the Wazuh 4.10.2 patch directly remediates the heap-based out-of-bounds write in decode_win_permissions, preventing exploitation via crafted agent messages.
Validating the syntax, semantics, and content of incoming agent messages prevents specially crafted inputs from triggering the out-of-bounds write in decode_win_permissions.
Heap memory protections such as guard pages or safe unlinking mitigate remote code execution from the out-of-bounds write vulnerability in decode_win_permissions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote code execution via a specially crafted agent message to the network-accessible Wazuh manager, directly mapping to exploitation of a public-facing or remotely exploitable application/service.
NVD Description
Wazuh is a free and open source platform used for threat prevention, detection, and response. A heap-based out-of-bounds WRITE occurs in decode_win_permissions, resulting in writing a NULL byte 2 bytes before the start of the buffer allocated to decoded_it. A…
more
compromised agent can potentially leverage this issue to perform remote code execution, by sending a specially crafted message to the wazuh manager. An attacker who is able to craft and send an agent message to the wazuh manager can leverage this issue to potentially achieve remote code execution on the wazuh manager (the exploitability of this vulnerability depends on the specifics of the respective heap allocator). This vulnerability is fixed in 4.10.2.
Deeper analysisAI
CVE-2025-62786 is a heap-based out-of-bounds write vulnerability in the decode_win_permissions function of Wazuh, a free and open-source platform used for threat prevention, detection, and response. The flaw occurs when a NULL byte is written two bytes before the start of the buffer allocated to decoded_it, affecting the Wazuh manager component. It is classified under CWE-124 and has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
A compromised Wazuh agent or an attacker able to craft and send a specially crafted agent message to the Wazuh manager can potentially exploit this issue to achieve remote code execution on the manager. Exploitability depends on the specifics of the respective heap allocator.
The vulnerability is fixed in Wazuh version 4.10.2. Additional details are available in the Wazuh security advisory at https://github.com/wazuh/wazuh/security/advisories/GHSA-2c8r-p6r5-xxmr and the fixing commit at https://github.com/wazuh/wazuh/commit/2257d7998aaff34263169d16f4afc491564a771c.
Details
- CWE(s)