CVE-2025-62792: 
Wazuh Agent vulnerability analysis and mitigation

Wazuh, a free and open source platform used for threat prevention, detection, and response, was found to contain a buffer over-read vulnerability (CVE-2025-62792) prior to version 4.12.0. The vulnerability was discovered in the wexpressionmatch() function where a buffer over-read occurs when strlen() is called on strtest, due to improper NULL termination during buffer allocation in OSCleanMSG(). The issue was disclosed on October 29, 2025 (GitHub Advisory).

The vulnerability occurs in the wexpressionmatch() function when strlen() is called on strtest, as the corresponding buffer is not properly NULL terminated during its allocation in OSCleanMSG(). The issue stems from lf->log pointing to the last byte of the buffer, which holds a random value, causing strlen to continue reading beyond the end of the allocated buffer until reaching a null terminator. The vulnerability has been assigned a CVSS v4.0 base score of 6.9 (Medium) with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N, and a CVSS v3.1 base score of 7.5 (High) (NVD).

When successfully exploited, this vulnerability allows an attacker who can craft and send an agent message to the Wazuh manager to cause a buffer over-read, potentially accessing sensitive data beyond the intended buffer boundaries. The attack requires either enrolling a new agent (if agent enrollment is open) or compromising an existing agent (GitHub Advisory).

The vulnerability has been fixed in Wazuh version 4.12.0. Users are advised to upgrade to this version or later to mitigate the risk (GitHub Advisory).