CVE-2025-54866 in Wazuh
Summary
by MITRE • 11/21/2025
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.3.0 to before 4.13.0, a missing ACL on "C:\Program Files (x86)\ossec-agent\authd.pass" exposes the password to all "Authenticated Users" on the local machine. This issue has been patched in version 4.13.0.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/03/2025
The vulnerability identified as CVE-2025-54866 affects Wazuh, a widely deployed open-source security platform designed for threat prevention, detection, and response across enterprise environments. This issue resides within the Windows-based ossec-agent component and represents a critical access control flaw that has persisted across multiple versions of the software. The vulnerability specifically targets the authentication mechanism within the Wazuh agent installation, creating a significant security risk for organizations relying on this platform for their security operations.
The technical flaw manifests as a missing access control list on the file path C:\Program Files (x86)\ossec-agent\wazuhd.pass, which contains authentication credentials essential for the Wazuh agent's operation. This file, which stores password information for the wazuhd service, lacks proper access control restrictions that would normally limit access to only authorized system components. The missing ACL configuration allows all authenticated users on the local machine to access this sensitive credential file, effectively creating a privilege escalation vector that undermines the fundamental security assumptions of the application's authentication architecture.
The operational impact of this vulnerability extends beyond simple credential exposure, as it provides attackers with potential access to critical system resources and services managed by the Wazuh agent. An attacker with local access to a machine running an affected Wazuh agent could extract the stored password and potentially use it to escalate privileges or gain unauthorized access to other systems within the network. This vulnerability aligns with CWE-284, which describes improper access control, and represents a clear violation of the principle of least privilege that should govern all security-sensitive applications. The exposure affects all authenticated users on the local machine, significantly broadening the attack surface and reducing the overall security posture of systems running vulnerable Wazuh versions.
Organizations utilizing Wazuh across their infrastructure should prioritize immediate remediation of this vulnerability through the upgrade to version 4.13.0 or later, which implements proper access controls on the credential file. Additional mitigations should include implementing network segmentation to limit local access to systems running Wazuh agents, monitoring for unauthorized access attempts to sensitive system files, and conducting comprehensive security audits of all Wazuh installations. The vulnerability demonstrates the importance of proper access control implementation in security software and highlights the potential consequences of credential mismanagement in enterprise security platforms. This issue also aligns with ATT&CK technique T1078 which covers valid accounts and privilege escalation through legitimate system access, making it particularly concerning for organizations that rely on Wazuh for their security monitoring and incident response capabilities.