CVE-2025-30201

HighPublic PoC

Published: 21 November 2025

Published

21 November 2025

Modified

02 December 2025

KEV Added

—

Patch

—

CVSS Score 7.7 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N

EPSS Score 0.0022 44.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to version 4.13.0, a vulnerability in Wazuh Agent allows authenticated attackers to force NTLM authentication through malicious UNC paths in various agent configuration settings,…

potentially leading NTLM relay attacks that would result privilege escalation and remote code execution. This issue has been patched in version 4.13.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the specific flaw in Wazuh Agent prior to version 4.13.0 by applying the patch that fixes malicious UNC path handling in configuration settings.

SI-10 Information Input Validation good match

prevent

Validates all information inputs to agent configuration settings to block injection of malicious UNC paths that trigger unwanted NTLM authentication.

CM-5 Access Restrictions for Change good match

prevent

Restricts access to Wazuh Agent configuration changes to authorized personnel only, mitigating exploitation by high-privilege (PR:H) authenticated attackers.

Security SummaryAI

CVE-2025-30201 is a vulnerability in the Wazuh Agent, a component of the free and open-source Wazuh platform for threat prevention, detection, and response. Affecting versions prior to 4.13.0, the flaw enables authenticated attackers to force NTLM authentication by injecting malicious UNC paths into various agent configuration settings. This issue is rated with a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N) and is associated with CWEs-73 (External Control of File Name or Path) and CWE-294 (Authentication Bypass by Capture-replay).

An attacker with high privileges (PR:H) on a network-accessible system can exploit this vulnerability by crafting agent configurations that trigger NTLM authentication attempts. This facilitates NTLM relay attacks, allowing the attacker to impersonate the Wazuh Agent when authenticating to other systems, potentially resulting in privilege escalation and remote code execution on target machines.

The vulnerability has been addressed in Wazuh version 4.13.0. Official mitigation details are available in the Wazuh security advisory (GHSA-x697-jf34-gp5x), along with the patching commit (688972da589e5d40d2a81bcd738240303a3dc45a) and pull request (30060) on the Wazuh GitHub repository. Security practitioners should upgrade to version 4.13.0 or later to remediate the issue.

Details

CWE(s): CWE-73 CWE-294 NVD-CWE-noinfo

Affected Products

wazuh

≤ 4.13.0

MITRE ATT&CK Enterprise TechniquesAI

T1187 Forced Authentication Credential Access

Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.

attack.mitre.org →

Why these techniques?

The vulnerability allows high-privileged authenticated attackers to inject malicious UNC paths into Wazuh Agent configurations, forcing NTLM authentication attempts that enable Forced Authentication (T1187) and facilitate NTLM relay attacks.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/wazuh/wazuh/commit/688972da589e5d40d2a81bcd738240303a3dc45a
Patch · security-advisories@github.com
https://github.com/wazuh/wazuh/pull/30060
Issue Tracking · security-advisories@github.com
https://github.com/wazuh/wazuh/security/advisories/GHSA-x697-jf34-gp5x
Exploit, Vendor Advisory · security-advisories@github.com