Description
Wazuh provisioning scripts and Dockerfiles contain an insecure transport vulnerability where curl is invoked with the -k/--insecure flag, disabling SSL/TLS certificate validation. Attackers with network access can perform man-in-the-middle attacks to intercept and modify downloaded dependencies or code during the build process, leading to remote code execution and supply chain compromise.
Published: 2026-03-27
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is introduced by the use of curl with the -k/--insecure flag in Wazuh provisioning scripts and Dockerfiles. This disables SSL/TLS certificate validation and allows attackers to perform man‑in‑the‑middle attacks during the build process. By intercepting and modifying the downloaded dependencies or code, an attacker can inject malicious code that is executed as part of the agent build, leading to remote code execution and supply‑chain compromise. The weakness is an improper verification of cryptographic signatures and unauthorized access to resources (CWE‑295, CWE‑829).

Affected Systems

The affected components are the Wazuh Provisioning Scripts used for the agent build environment. No specific patched versions are listed in the CNA data; therefore, the impact applies to all versions that still use the insecure curl invocation. Operators should check the Wazuh repository or release notes for updates that remove the insecure flag.

Risk and Exploitability

The CVSS base score of 6.3 indicates a medium severity for this vulnerability. The EPSS score is reported as less than 1 %, suggesting a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. However, the likely attack vector is a network attacker who can observe or intercept the build traffic, such as an attacker with access to the CI pipeline or the repository hosting the build artifacts. Inference: because curl is called with --insecure, any network path that supplies the dependencies can be tampered with to deliver malicious code into the build environment. Hence, the risk is contingent on network exposure of the build infrastructure.

Generated by OpenCVE AI on April 8, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest Wazuh provisioning scripts that have removed the insecure curl invocation.
  • If no patch is available, modify the scripts to perform proper certificate verification or replace curl with an option that enforces SSL/TLS validation.
  • Configure the build environment to source dependencies from trusted, signed registries and verify checksums.
  • Isolate the build infrastructure and restrict network access to only trusted sources.
  • Monitor build logs for unexpected dependency changes or injected code.

Generated by OpenCVE AI on April 8, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Wazuh wazuh
CPEs cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*
Vendors & Products Wazuh wazuh

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Wazuh
Wazuh wazuh Provisioning Scripts
Vendors & Products Wazuh
Wazuh wazuh Provisioning Scripts

Fri, 27 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Title Various uses of curl without verifying the authenticity of the SSL certificate, leading to MITM-RCE in build infrastructure Wazuh Provisioning Scripts / Build Infrastructure Improper Certificate Validation leading to MITM and RCE

Fri, 27 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Wazuh provisioning scripts and Dockerfiles contain an insecure transport vulnerability where curl is invoked with the -k/--insecure flag, disabling SSL/TLS certificate validation. Attackers with network access can perform man-in-the-middle attacks to intercept and modify downloaded dependencies or code during the build process, leading to remote code execution and supply chain compromise.
Title Various uses of curl without verifying the authenticity of the SSL certificate, leading to MITM-RCE in build infrastructure
Weaknesses CWE-295
CWE-829
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wazuh Wazuh Wazuh Provisioning Scripts
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-31T13:35:46.422Z

Reserved: 2026-03-20T16:24:45.413Z

Link: CVE-2025-15612

cve-icon Vulnrichment

Updated: 2026-03-31T13:35:42.697Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T19:16:41.690

Modified: 2026-04-08T15:34:47.883

Link: CVE-2025-15612

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:01:10Z

Weaknesses