CVE-2025-15615 is a vulnerability identified in the Wazuh Manager's authd service, specifically in wazuh-manager packages up to version 4.7.3. The flaw arises from improper restriction of client-initiated SSL/TLS renegotiation, allowing remote attackers to repeatedly request renegotiation without limits. This excessive renegotiation consumes significant CPU resources on the server, leading to denial of service by making the authd service unavailable. The vulnerability is rooted in CWE-276, which concerns incorrect default permissions or restrictions, here manifesting as a failure to limit renegotiation attempts. Exploitation requires no authentication or user interaction, making it accessible to any remote attacker with network access to the service. The vulnerability affects the availability of the service but does not compromise confidentiality or integrity. No patches were linked at the time of reporting, and no known exploits have been observed in the wild. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), no impact on confidentiality or integrity (VC:N/VI:N), limited impact on availability (VA:L), no scope change (SC:N), no impact on integrity (SI:N), and low scope attack (SA:L). This vulnerability is significant for organizations using Wazuh for security monitoring, as disruption of the authd service can impair alerting and incident response capabilities.

The primary impact of CVE-2025-15615 is denial of service against the Wazuh Manager authd service, which is critical for managing agent authentication and communication. Successful exploitation can render the authd service unavailable, disrupting the ability of Wazuh agents to communicate with the manager, potentially causing gaps in security monitoring and incident detection. This can delay threat detection and response, increasing organizational risk. Since Wazuh is widely used for security information and event management (SIEM) and endpoint monitoring, affected organizations may experience degraded security posture and operational interruptions. The vulnerability does not expose sensitive data or allow unauthorized access, but the availability impact can be severe in environments relying heavily on continuous monitoring. The ease of exploitation and lack of required privileges increase the risk of opportunistic attacks, especially in exposed network environments. No known exploits in the wild reduce immediate risk, but the vulnerability should be addressed promptly to prevent future exploitation.

To mitigate CVE-2025-15615, organizations should upgrade wazuh-manager to a version later than 4.7.3 once patches are released by the vendor. In the absence of an official patch, administrators can implement network-level controls to restrict access to the authd service, such as firewall rules limiting connections to trusted IP addresses only. Monitoring network traffic for abnormal SSL/TLS renegotiation patterns can help detect attempted exploitation. Rate limiting or connection throttling at the network or application layer may reduce the impact of excessive renegotiation requests. Additionally, deploying intrusion prevention systems (IPS) with signatures targeting SSL/TLS renegotiation abuse can provide proactive defense. Regularly reviewing Wazuh logs for service disruptions and anomalous authentication behavior is recommended. Organizations should also ensure that Wazuh Manager is deployed behind secure network boundaries and not exposed directly to untrusted networks. Finally, maintaining an incident response plan that includes recovery from DoS conditions will help minimize operational impact.