CVE-2025-30201

Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to version 4.13.0, a vulnerability in Wazuh Agent allows authenticated attackers to force NTLM authentication through malicious UNC paths in various agent configuration settings, potentially leading NTLM relay attacks that would result privilege escalation and remote code execution. This issue has been patched in version 4.13.0.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.3 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/wazuh/wazuh/commit/688972da589e5d40d2a81bcd738240303a3dc45a	Patch
https://github.com/wazuh/wazuh/pull/30060	Issue Tracking
https://github.com/wazuh/wazuh/security/advisories/GHSA-x697-jf34-gp5x	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*

History

02 Dec 2025, 16:45

Type	Values Removed	Values Added
References	~~() https://github.com/wazuh/wazuh/commit/688972da589e5d40d2a81bcd738240303a3dc45a -~~	() https://github.com/wazuh/wazuh/commit/688972da589e5d40d2a81bcd738240303a3dc45a - Patch
References	~~() https://github.com/wazuh/wazuh/pull/30060 -~~	() https://github.com/wazuh/wazuh/pull/30060 - Issue Tracking
References	~~() https://github.com/wazuh/wazuh/security/advisories/GHSA-x697-jf34-gp5x -~~	() https://github.com/wazuh/wazuh/security/advisories/GHSA-x697-jf34-gp5x - Exploit, Vendor Advisory
First Time		Wazuh wazuh Wazuh
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:a:wazuh:wazuh::::::::

21 Nov 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-21 19:15

Updated : 2025-12-02 16:45

NVD link : CVE-2025-30201

Mitre link : CVE-2025-30201

CVE.ORG link : CVE-2025-30201

JSON object : View

Products Affected

wazuh

wazuh

CWE

CWE-73

External Control of File Name or Path

CWE-294

Authentication Bypass by Capture-replay

NVD-CWE-noinfo

{"id": "CVE-2025-30201", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 1.3}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2025-11-21T19:15:50.293", "references": [{"url": "https://github.com/wazuh/wazuh/commit/688972da589e5d40d2a81bcd738240303a3dc45a", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/wazuh/wazuh/pull/30060", "tags": ["Issue Tracking"], "source": "[email protected]"}, {"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-x697-jf34-gp5x", "tags": ["Exploit", "Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-73"}, {"lang": "en", "value": "CWE-294"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to version 4.13.0, a vulnerability in Wazuh Agent allows authenticated attackers to force NTLM authentication through malicious UNC paths in various agent configuration settings, potentially leading NTLM relay attacks that would result privilege escalation and remote code execution. This issue has been patched in version 4.13.0."}], "lastModified": "2025-12-02T16:45:54.357", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6248EA61-D178-48E6-B2E3-EA37BFEDC305", "versionEndExcluding": "4.13.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}