CVE-2025-15617 identifies a vulnerability in Wazuh version 4.12.0 related to the exposure of the GITHUB_TOKEN within GitHub Actions workflow artifacts. Wazuh, a popular open-source security monitoring platform, integrates with GitHub Actions for CI/CD automation. In this version, artifacts generated during workflows are insufficiently protected, allowing unauthorized parties to extract the GITHUB_TOKEN embedded in these artifacts. The token is a sensitive credential that grants permissions to perform repository operations such as pushing commits and modifying release tags. The vulnerability is classified under CWE-522, indicating insufficient protection of credentials. The attack vector is network-based with high complexity, requiring the attacker to gain access to the workflow artifacts within the limited time they remain available. No privileges or user interaction are required to exploit this vulnerability, but the token's limited validity window reduces the exploitation window. The CVSS 4.0 score of 6.3 reflects a medium severity, primarily due to the high attack complexity and limited scope of impact. Although no known exploits have been reported in the wild, the potential for supply chain compromise through unauthorized code changes or release manipulations is significant. The vulnerability highlights the risks of improper credential management in CI/CD pipelines and the importance of securing artifact storage and token permissions.

The primary impact of CVE-2025-15617 is on the integrity and availability of software development pipelines using Wazuh 4.12.0 with GitHub Actions. Attackers who successfully extract the GITHUB_TOKEN can push malicious commits, potentially injecting backdoors or vulnerabilities into the codebase. They can also alter release tags, misleading users and automated systems about software versions and updates. This could lead to widespread distribution of compromised software, undermining trust in the supply chain. Organizations relying on automated deployments and continuous integration may face disruptions, reputational damage, and increased risk of downstream attacks. The exposure of credentials also raises concerns about unauthorized access to repository resources, although the token's limited scope and time window somewhat mitigate the risk. However, if attackers automate token extraction and use, the vulnerability could be leveraged for persistent compromise. Overall, the threat affects organizations globally that use Wazuh in their DevOps workflows, especially those with critical software development and release processes.

To mitigate CVE-2025-15617, organizations should implement the following specific measures: 1) Immediately audit and restrict the permissions granted to GITHUB_TOKEN in workflows, limiting them to the minimum necessary scopes to reduce potential damage if exposed. 2) Review and modify GitHub Actions workflows to avoid uploading artifacts containing sensitive tokens or credentials. 3) Implement artifact retention policies that minimize the time artifacts remain accessible, reducing the exposure window. 4) Use GitHub's encrypted secrets and environment protection features to safeguard tokens and avoid embedding them in artifacts. 5) Monitor workflow artifact access logs for unusual or unauthorized retrieval attempts. 6) Upgrade Wazuh to a patched version once available or apply vendor-recommended workarounds to secure artifact handling. 7) Educate DevOps teams on secure CI/CD practices, emphasizing credential management and artifact security. 8) Consider additional runtime monitoring to detect unauthorized repository changes or release tag modifications. These targeted actions go beyond generic advice by focusing on the specific token exposure vector and CI/CD pipeline security.