Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Wazuh Agent by Wazuh

    CVE-2024-1243 (GCVE-0-2024-1243)

    Vulnerability from nvd – Published: 2025-06-11 01:15 – Updated: 2025-06-11 14:25
    VLAI
    Title
    Remote code execution and local privilege escalation in Wazuh Windows agent via NetNTLMv2 hash theft
    Summary
    Improper input validation in the Wazuh agent for Windows prior to version 4.8.0 allows an attacker with control over the Wazuh server or agent key to configure the agent to connect to a malicious UNC path. This results in the leakage of the machine account NetNTLMv2 hash, which can be relayed for remote code execution or used to escalate privileges to SYSTEM via AD CS certificate forging and other similar attacks.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-73 - External Control of File Name or Path
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    Wazuh Wazuh Agent Affected: < 4.8.0
    Create a notification for this product.
    Credits
    Rilke Petrosky of Pentraze Cybersecurity
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1243",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-11T14:24:10.821662Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-11T14:25:37.576Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-3crh-39qv-fxj7"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows"
              ],
              "product": "Wazuh Agent",
              "vendor": "Wazuh",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.8.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Rilke Petrosky of Pentraze Cybersecurity"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper input validation in the Wazuh agent for Windows prior to version 4.8.0 allows an attacker with control over the Wazuh server or agent key to configure the agent to connect to a malicious UNC path. This results in the leakage of the machine account NetNTLMv2 hash, which can be relayed for remote code execution or used to escalate privileges to SYSTEM via AD CS certificate forging and other similar attacks."
                }
              ],
              "value": "Improper input validation in the Wazuh agent for Windows prior to version 4.8.0 allows an attacker with control over the Wazuh server or agent key to configure the agent to connect to a malicious UNC path. This results in the leakage of the machine account NetNTLMv2 hash, which can be relayed for remote code execution or used to escalate privileges to SYSTEM via AD CS certificate forging and other similar attacks."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-644",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-644 Use of Captured Hashes (Pass The Hash)"
                }
              ]
            },
            {
              "capecId": "CAPEC-73",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-73 User-Controlled Filename"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.5,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-73",
                  "description": "CWE-73: External Control of File Name or Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-11T01:15:13.116Z",
            "orgId": "41c37e40-543d-43a2-b660-2fee83ea851a",
            "shortName": "Pentraze"
          },
          "references": [
            {
              "url": "https://pentraze.com/"
            },
            {
              "url": "https://pentraze.com/vulnerability-reports/CVE-2024-1243/"
            },
            {
              "url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-3crh-39qv-fxj7"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Remote code execution and local privilege escalation in Wazuh Windows agent via NetNTLMv2 hash theft",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "41c37e40-543d-43a2-b660-2fee83ea851a",
        "assignerShortName": "Pentraze",
        "cveId": "CVE-2024-1243",
        "datePublished": "2025-06-11T01:15:13.116Z",
        "dateReserved": "2024-02-06T00:37:55.742Z",
        "dateUpdated": "2025-06-11T14:25:37.576Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-1243 (GCVE-0-2024-1243)

    Vulnerability from cvelistv5 – Published: 2025-06-11 01:15 – Updated: 2025-06-11 14:25
    VLAI
    Title
    Remote code execution and local privilege escalation in Wazuh Windows agent via NetNTLMv2 hash theft
    Summary
    Improper input validation in the Wazuh agent for Windows prior to version 4.8.0 allows an attacker with control over the Wazuh server or agent key to configure the agent to connect to a malicious UNC path. This results in the leakage of the machine account NetNTLMv2 hash, which can be relayed for remote code execution or used to escalate privileges to SYSTEM via AD CS certificate forging and other similar attacks.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-73 - External Control of File Name or Path
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    Wazuh Wazuh Agent Affected: < 4.8.0
    Create a notification for this product.
    Credits
    Rilke Petrosky of Pentraze Cybersecurity
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-1243",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-11T14:24:10.821662Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-11T14:25:37.576Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-3crh-39qv-fxj7"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows"
              ],
              "product": "Wazuh Agent",
              "vendor": "Wazuh",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.8.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Rilke Petrosky of Pentraze Cybersecurity"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper input validation in the Wazuh agent for Windows prior to version 4.8.0 allows an attacker with control over the Wazuh server or agent key to configure the agent to connect to a malicious UNC path. This results in the leakage of the machine account NetNTLMv2 hash, which can be relayed for remote code execution or used to escalate privileges to SYSTEM via AD CS certificate forging and other similar attacks."
                }
              ],
              "value": "Improper input validation in the Wazuh agent for Windows prior to version 4.8.0 allows an attacker with control over the Wazuh server or agent key to configure the agent to connect to a malicious UNC path. This results in the leakage of the machine account NetNTLMv2 hash, which can be relayed for remote code execution or used to escalate privileges to SYSTEM via AD CS certificate forging and other similar attacks."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-644",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-644 Use of Captured Hashes (Pass The Hash)"
                }
              ]
            },
            {
              "capecId": "CAPEC-73",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-73 User-Controlled Filename"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.5,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-73",
                  "description": "CWE-73: External Control of File Name or Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-11T01:15:13.116Z",
            "orgId": "41c37e40-543d-43a2-b660-2fee83ea851a",
            "shortName": "Pentraze"
          },
          "references": [
            {
              "url": "https://pentraze.com/"
            },
            {
              "url": "https://pentraze.com/vulnerability-reports/CVE-2024-1243/"
            },
            {
              "url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-3crh-39qv-fxj7"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Remote code execution and local privilege escalation in Wazuh Windows agent via NetNTLMv2 hash theft",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "41c37e40-543d-43a2-b660-2fee83ea851a",
        "assignerShortName": "Pentraze",
        "cveId": "CVE-2024-1243",
        "datePublished": "2025-06-11T01:15:13.116Z",
        "dateReserved": "2024-02-06T00:37:55.742Z",
        "dateUpdated": "2025-06-11T14:25:37.576Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }