CVE-2025-30201

Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to version 4.13.0, a vulnerability in Wazuh Agent allows authenticated attackers to force NTLM authentication through malicious UNC paths in various agent configuration settings, potentially leading NTLM relay attacks that would result privilege escalation and remote code execution. This issue has been patched in version 4.13.0.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.3 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/wazuh/wazuh/commit/688972da589e5d40d2a81bcd738240303a3dc45a	Patch
https://github.com/wazuh/wazuh/pull/30060	Issue Tracking
https://github.com/wazuh/wazuh/security/advisories/GHSA-x697-jf34-gp5x	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-11-21 19:15

Updated : 2025-12-02 16:45

NVD link : CVE-2025-30201

Mitre link : CVE-2025-30201

CVE.ORG link : CVE-2025-30201

JSON object : View

Products Affected

wazuh

wazuh

CWE

CWE-73

External Control of File Name or Path

CWE-294

Authentication Bypass by Capture-replay

NVD-CWE-noinfo

{"id": "CVE-2025-30201", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 1.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2025-11-21T19:15:50.293", "references": [{"url": "https://github.com/wazuh/wazuh/commit/688972da589e5d40d2a81bcd738240303a3dc45a", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/wazuh/wazuh/pull/30060", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-x697-jf34-gp5x", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-73"}, {"lang": "en", "value": "CWE-294"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to version 4.13.0, a vulnerability in Wazuh Agent allows authenticated attackers to force NTLM authentication through malicious UNC paths in various agent configuration settings, potentially leading NTLM relay attacks that would result privilege escalation and remote code execution. This issue has been patched in version 4.13.0."}], "lastModified": "2025-12-02T16:45:54.357", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6248EA61-D178-48E6-B2E3-EA37BFEDC305", "versionEndExcluding": "4.13.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}