CVE-2025-62787

Wazuh Vulnerable to Heap-based Buffer Over-read in DecodeWinevt

Severity Score

2.1

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to 4.10.2, a buffer over-read occurs in DecodeWinevt() when child_attr[p]->attributes[j] is accessed, because the corresponding index (j) is incorrect. A compromised agent can cause a READ operation beyond the end of the allocated buffer (which may contain sensitive information) by sending a specially crafted message to the wazuh manager. An attacker who is able to craft and send an agent message to the wazuh manager can cause a buffer over-read and potentially access sensitive data. While the buffer over-read is always triggered while resolving the arguments of mdebug2, specific configuration options (analysisd.debug=2) need to be in place for the respective data to be leaked. This vulnerability is fixed in 4.10.2.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

Present

Privileges Required

High

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

Low

None

Integrity

None

Availability

Low

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2025-10-22 CVE Reserved
2025-10-29 CVE Published
2025-10-29 CVE Updated
2026-04-08 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-126: Buffer Over-read

CAPEC

References (2)

URL	Tag	Source
https://github.com/wazuh/wazuh/commit/267d5d55de490469a9ec24a2b936bb3c5aa8fdda	X_refsource_misc
https://github.com/wazuh/wazuh/security/advisories/GHSA-3hhq-5367-98q6	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Wazuh Search vendor "Wazuh"		Wazuh Search vendor "Wazuh" for product "Wazuh"				< 4.10.2 Search vendor "Wazuh" for product "Wazuh" and version " < 4.10.2"		en		Affected