CVE-2025-64483 is an improper access control vulnerability (CWE-284) affecting the Wazuh open-source security platform, specifically its dashboard plugins component. The flaw exists in versions 4.9.0 through 4.12.x, where the Wazuh API's Agent Configuration endpoint (/utils/configuration) improperly exposes sensitive agent enrollment credentials to users authenticated with read-only API roles. Normally, read-only roles should not have access to credentials that enable agent registration, which is a privileged operation. However, due to this vulnerability, these users can retrieve enrollment credentials and subsequently register new agents within the same Wazuh tenant without requiring elevated UI permissions. This unauthorized agent registration could allow attackers to introduce rogue agents that report falsified or malicious data, potentially undermining the integrity and trustworthiness of the security monitoring environment. The vulnerability has a CVSS 4.0 base score of 5.3 (medium severity), reflecting network exploitability without user interaction, requiring only low privileges, and causing limited confidentiality, integrity, and availability impacts. The issue was publicly disclosed on November 21, 2025, and fixed in Wazuh version 4.13.0. No known exploits have been reported in the wild, but the risk remains significant for environments relying on vulnerable versions. The vulnerability highlights the importance of strict access controls around sensitive API endpoints and credential management within security platforms.

For European organizations, this vulnerability poses a risk of unauthorized agent enrollment within Wazuh deployments, potentially allowing attackers or malicious insiders with read-only API access to introduce rogue agents. These rogue agents could feed false security telemetry, disrupt monitoring accuracy, or create backdoors for further compromise. The impact includes reduced integrity and trust in security data, possible evasion of detection, and increased attack surface. Organizations in sectors with high regulatory compliance requirements (e.g., finance, healthcare, critical infrastructure) may face compliance risks if security monitoring is compromised. Since Wazuh is widely used in Europe for security monitoring and compliance, especially in enterprises and managed security service providers, the vulnerability could affect a broad range of organizations. The medium severity rating indicates moderate risk, but the ease of exploitation by authenticated users with minimal privileges elevates concern. The lack of known exploits suggests limited active targeting so far, but the potential for misuse remains. Failure to patch could lead to insider threats or lateral movement by attackers who have obtained read-only API credentials.

European organizations should immediately upgrade all Wazuh deployments to version 4.13.0 or later, where this vulnerability is patched. Until upgrades are possible, restrict read-only API roles to trusted users only and audit API access logs for unusual activity, especially calls to the /utils/configuration endpoint. Implement strict role-based access controls (RBAC) to minimize the number of users with API access. Consider network segmentation to limit API endpoint exposure and use API gateways or proxies to monitor and control API traffic. Regularly rotate agent enrollment credentials and monitor for unauthorized agent registrations. Employ anomaly detection on agent behavior to identify rogue agents. Additionally, conduct internal security awareness training to reduce the risk of credential misuse by insiders. Finally, integrate vulnerability management processes to ensure timely patching of Wazuh and other critical security infrastructure components.