A critical vulnerability has been disclosed in Wazuh Manager that could allow attackers to tamper with security data, delete alerts, and manipulate forensic evidence stored in the Wazuh indexer.
Tracked as GHSA-ff9g-85jq-r3g3, the vulnerability carries a CVSS score of 10.0 and affects Wazuh Manager 5.0.0-beta1 and later vulnerable 5.x beta builds before the patched 5.0.0-beta3 release. Wazuh 4.x is not affected, as the vulnerable inventory synchronization code path does not exist in that branch.
Vulnerability Details
The vulnerability affects the inventory_sync subsystem introduced in Wazuh 5.0.
The issue is caused by improper handling of the agent-controlled DataValue.index field when Wazuh Manager builds OpenSearch _bulk NDJSON requests.
In simple terms:
- Some fields are properly escaped before being sent to OpenSearch.
- However, the _index value is inserted without enough validation.
- This allows a malicious agent to inject crafted newline characters and JSON fragments.
- OpenSearch may then interpret those fragments as extra bulk actions.
As a result, an attacker could inject unauthorized OpenSearch operations such as:
- index
- delete
- update
These operations are then executed using the Wazuh Manager’s configured indexer credentials.
The impact depends on how privileged those credentials are. If the manager uses highly privileged OpenSearch credentials, an attacker may be able to manipulate Wazuh indices, delete alerts, or modify saved dashboard objects.
Exploitation Conditions
The vulnerability can be exploited by an enrolled Wazuh agent.
This could be:
- A legitimate endpoint that has already been compromised.
- A rogue agent enrolled by an attacker.
The risk is higher when Wazuh agent enrollment is exposed and does not require password-based authentication. In that scenario, an attacker may be able to register a rogue agent and then abuse the vulnerable inventory synchronization process over standard Wazuh communication channels.
Potential Impact
Successful exploitation could allow an attacker to:
- Delete Wazuh alert documents and remove evidence of malicious activity.
- Modify inventory or vulnerability data for monitored agents.
- Tamper with data used by analysts during incident response.
- Write to dashboard or saved object indices in certain configurations.
- Undermine trust in SIEM data during an active intrusion.
- Perform cross-agent or cross-tenant data manipulation in poorly segmented environments.
This makes the vulnerability particularly dangerous for security teams because the affected system is used for detection, investigation, and response. An attacker who can alter or delete security telemetry may be able to hide follow-on activity and delay containment.
Recommended Actions
Organizations using Wazuh should take the following actions immediately:
- Upgrade affected Wazuh Manager 5.x beta deployments to version 5.0.0-beta3 or later.
- If an immediate upgrade is not possible, restrict access to Wazuh agent enrollment and remoted ports to trusted networks only.
- Enable password-based authentication for Wazuh agent enrollment.
- Review wazuh-authd configuration and disable anonymous or unauthenticated agent enrollment where possible.
- Avoid using highly privileged admin or all_access roles for routine indexer operations.
- Apply least-privilege permissions to the Wazuh Manager indexer account.
- Investigate recently enrolled agents, unexpected agent names, and connections from unfamiliar IP addresses.
- Monitor for attempts to access Wazuh communication ports, especially TCP/1514 and TCP/1515, from untrusted networks.
Stay Safe. Stay Secure.
OP Innovate Research Team
