Description
Wazuh wazuh-agent and wazuh-manager versions 2.1.0 before 4.8.0 contain multiple shell injection and untrusted search path vulnerabilities that allow attackers to execute arbitrary commands through various components including logcollector configuration, maild SMTP server tags, and Kaspersky AR script parameters. Attackers can exploit these vulnerabilities by injecting malicious commands through configuration files, SMTP server settings, and custom flags to achieve remote code execution on affected systems.
Published: 2026-03-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows shell injection and the use of an untrusted search path across multiple components of the Wazuh Agent and Manager; attackers can inject malicious shell commands into logcollector configuration files, maild SMTP server tags, and Kaspersky AR script parameters to execute arbitrary commands.

Affected Systems

Affected products are Wazuh wazuh-agent and Wazuh wazuh-manager; all releases from version 2.1.0 up to, but not including, 4.8.0 are vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity, and the EPSS score of less than 1% suggests a low probability of widespread exploitation; the vulnerability is not listed in CISA's KEV catalog. The description shows that attackers can inject them through configuration files, SMTP server settings, or custom flags, meaning that write access to these configuration areas or the ability to alter them is required; it is inferred that such access is needed to exploit the vulnerability. Once injected, the malicious code would run with the privileges of the running service, potentially compromising the entire system.

Generated by OpenCVE AI on March 31, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch for wazuh-agent and wazuh-manager version 4.8.0 or later
  • Refer to the vendor advisories for any additional fixes
  • Restrict write access to logcollector configuration files and SMTP tag settings to trusted administrators
  • Disable or sanitize the Kaspersky AR script parameters to prevent arbitrary shell execution
  • Ensure that the system’s search path is explicitly set and does not rely on user-provided values
  • Monitor system logs for indicators of attempted command injection or abnormal shell activity

Generated by OpenCVE AI on March 31, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Wazuh wazuh
CPEs cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*
Vendors & Products Wazuh wazuh

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Wazuh
Wazuh wazuh-agent
Wazuh wazuh-manager
Vendors & Products Wazuh
Wazuh wazuh-agent
Wazuh wazuh-manager

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Title Multiple vulnerabilities related to shell injection and path traversal flaws Wazuh Agent and Manager OS Command Injection and Untrusted Search Path

Fri, 27 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description Wazuh wazuh-agent and wazuh-manager versions 2.1.0 before 4.8.0 contain multiple shell injection and untrusted search path vulnerabilities that allow attackers to execute arbitrary commands through various components including logcollector configuration, maild SMTP server tags, and Kaspersky AR script parameters. Attackers can exploit these vulnerabilities by injecting malicious commands through configuration files, SMTP server settings, and custom flags to achieve remote code execution on affected systems.
Title Multiple vulnerabilities related to shell injection and path traversal flaws
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Wazuh Wazuh Wazuh-agent Wazuh-manager
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-27T19:46:04.116Z

Reserved: 2026-03-27T16:25:45.628Z

Link: CVE-2025-15616

cve-icon Vulnrichment

Updated: 2026-03-27T17:28:33.266Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T17:16:26.970

Modified: 2026-03-31T18:25:19.007

Link: CVE-2025-15616

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:00:58Z

Weaknesses