CVE-2025-64483 in wazuh-dashboard-plugins
Summary
by MITRE • 11/21/2025
Wazuh is a security detection, visibility, and compliance open source project. From version 4.9.0 to before 4.13.0, the Wazuh API – Agent Configuration in certain configurations allows authenticated users with read-only API roles to retrieve agent enrollment credentials through the /utils/configuration endpoint. These credentials can be used to register new agents within the same Wazuh tenant without requiring elevated permissions through the UI. This issue has been patched in version 4.13.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/21/2025
The vulnerability identified as CVE-2025-64483 affects the Wazuh security platform, specifically impacting versions between 4.9.0 and prior to 4.13.0. This represents a significant privilege escalation and information disclosure issue within the Wazuh API subsystem, where authenticated users with read-only API roles can exploit a flaw in the agent configuration endpoint to access sensitive enrollment credentials. The affected endpoint /utils/configuration serves as an unintended access vector that bypasses normal security controls, allowing malicious actors to obtain credentials necessary for agent registration. This vulnerability directly undermines the principle of least privilege by enabling users with minimal permissions to gain capabilities typically restricted to administrators or privileged users.
The technical flaw manifests through improper access control implementation within the Wazuh API's configuration handling mechanism. When users with read-only roles access the /utils/configuration endpoint, the system fails to properly validate whether the requesting user has appropriate authorization to access the enrollment credentials. This represents a classic authorization bypass vulnerability that can be categorized under CWE-285, which deals with improper authorization in security-sensitive operations. The flaw essentially allows unauthorized information disclosure where sensitive authentication materials are exposed through an API endpoint that should only be accessible to users with elevated privileges, creating a pathway for attackers to escalate their access within the Wazuh environment.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables attackers to register new agents within the same Wazuh tenant without requiring elevated permissions through the user interface. This capability can lead to significant security implications including unauthorized agent deployment, potential data exfiltration through newly registered agents, and the ability to establish persistent access points within the security monitoring infrastructure. The vulnerability essentially allows attackers to expand their attack surface by creating additional entry points into the monitored environment, potentially bypassing existing security controls and detection mechanisms that rely on known agent configurations. This type of vulnerability falls under the ATT&CK technique T1078.004, which covers valid accounts with elevated privileges, as it allows unauthorized access to systems through legitimate credential usage.
Organizations utilizing Wazuh versions within the affected range face substantial risk of unauthorized agent registration and potential compromise of their security monitoring infrastructure. The vulnerability can be exploited by attackers who have gained access to any authenticated user account with read-only API permissions, making it particularly concerning for environments where such accounts may be more easily compromised or where privileged accounts are not adequately protected. The patch implemented in version 4.13.0 addresses this issue through proper access control enforcement, ensuring that only users with appropriate administrative privileges can access the enrollment credentials through the /utils/configuration endpoint. Security teams should prioritize immediate upgrade to version 4.13.0 or later to mitigate this vulnerability and prevent potential exploitation that could lead to unauthorized agent registration and expanded attack vectors within their security monitoring environments.