CVE-2025-62786HIGH 8.1EPSS p44.3%

CVE-2025-62786CVE-2025-62786

Description

Wazuh is a free and open source platform used for threat prevention, detection, and response. A heap-based out-of-bounds WRITE occurs in decode_win_permissions, resulting in writing a NULL byte 2 bytes before the start of the buffer allocated to decoded_it. A compromised agent can potentially leverage this issue to perform remote code execution, by sending a specially crafted message to the wazuh manager. An attacker who is able to craft and send an agent message to the wazuh manager can leverage this issue to potentially achieve remote code execution on the wazuh manager (the exploitability of this vulnerability depends on the specifics of the respective heap allocator). This vulnerability is fixed in 4.10.2.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.60% probability of exploitation · percentile 44.3% · 2026-06-19T12:03:05Z
Published2025-10-29
Last modified2025-11-03

Underlying weaknesses· 1

CWE-124

References

  1. https://github.com/wazuh/wazuh/commit/2257d7998aaff34263169d16f4afc491564a771c
  2. https://github.com/wazuh/wazuh/security/advisories/GHSA-2c8r-p6r5-xxmr

1

TypeTargetConfidenceTier
WeaknessBuffer Underwrite ('Buffer Underflow')cwe-1240%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-28221
CVE
CVE-2026-25769
CVE
Wazuh Server Deserialization of Untrusted Data Vulnerability
CVE
CVE-2026-30893
CVE
CVE-2025-30201
CVE
CVE-2025-2368
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.