CVE-2025-15612 identifies a security weakness in the Wazuh provisioning scripts and Dockerfiles, specifically within the agent build environment starting from version 4.1.3. The root cause is the use of curl with the -k or --insecure option, which disables SSL/TLS certificate validation during the download of dependencies and code. This improper certificate validation (classified under CWE-295) undermines the trust model of secure communications, allowing attackers positioned on the network path to perform man-in-the-middle (MitM) attacks. Such attackers can intercept, modify, or replace the downloaded content with malicious payloads. Since these provisioning scripts are part of the build environment, compromised downloads can lead to the injection of malicious code into the build artifacts, resulting in remote code execution on target systems and a broader supply chain compromise. The vulnerability does not require any authentication or user interaction but does require the attacker to have network access to the build environment or its traffic. The CVSS 4.0 score is 6.3 (medium), reflecting the moderate ease of exploitation and the limited scope of impact confined to the build environment. No patches or fixes are currently linked, and no active exploitation has been reported. This vulnerability highlights the critical importance of enforcing proper certificate validation in automated build and provisioning processes to maintain supply chain integrity.

The primary impact of CVE-2025-15612 is the potential for supply chain compromise through the injection of malicious code during the build process of Wazuh agents. Organizations relying on Wazuh for security monitoring and endpoint detection could face remote code execution risks if attackers successfully intercept and alter provisioning scripts or dependencies. This could lead to unauthorized access, data breaches, or disruption of security operations. The compromise of build artifacts can propagate malicious code to multiple endpoints, amplifying the attack's reach and persistence. Additionally, trust in the integrity of security tools like Wazuh could be undermined, affecting incident response and compliance postures. While exploitation requires network access to the build environment, environments with exposed or poorly segmented build infrastructure are at higher risk. The lack of authentication and user interaction requirements lowers barriers for attackers with network presence. Overall, the vulnerability poses a significant risk to organizations using Wazuh in sensitive or large-scale deployments, especially those with complex supply chains and automated build pipelines.

To mitigate CVE-2025-15612, organizations should immediately audit and update their Wazuh provisioning scripts and Dockerfiles to remove the use of the curl -k/--insecure flag, ensuring that SSL/TLS certificate validation is enforced for all downloads. Implement strict certificate pinning or use trusted certificate authorities to validate server certificates during dependency retrieval. Network segmentation should be applied to isolate build environments from untrusted networks, reducing the risk of MitM attacks. Employ secure build environments with encrypted and authenticated channels (e.g., VPNs or private networks) to protect provisioning traffic. Regularly verify the integrity of downloaded dependencies using cryptographic hashes or signatures. Monitor network traffic for unusual interception or modification attempts. Additionally, consider integrating supply chain security tools that scan for tampered or malicious code in build artifacts. Stay updated with Wazuh vendor advisories for patches or official fixes and apply them promptly once available. Finally, conduct security awareness and training for DevOps teams to recognize and avoid insecure scripting practices.