CVE-2025-64483 is an improper access control vulnerability (CWE-284) affecting the Wazuh open source security platform, specifically its dashboard plugins component. The flaw exists in versions 4.9.0 through 4.12.x, where the Wazuh API's /utils/configuration endpoint improperly exposes agent enrollment credentials to users authenticated with read-only API roles. Normally, read-only roles should not have access to sensitive credentials or the ability to register new agents. However, due to this vulnerability, these users can retrieve enrollment credentials and use them to register new agents within the same Wazuh tenant without requiring elevated UI permissions. This unauthorized agent registration can lead to unauthorized data collection, monitoring, or manipulation within the security environment. The vulnerability is remotely exploitable over the network without user interaction and does not require elevated privileges beyond read-only API authentication. The issue was addressed and patched in Wazuh version 4.13.0. The CVSS v4.0 base score is 5.3 (medium severity), reflecting the moderate impact on confidentiality, integrity, and availability, combined with relatively low attack complexity and no need for user interaction. No known exploits have been reported in the wild as of the publication date.

For European organizations, this vulnerability poses a risk of unauthorized internal reconnaissance and potential compromise of security monitoring infrastructure. Attackers with read-only API access could leverage the exposed enrollment credentials to add rogue agents, which might be used to collect sensitive data, inject false alerts, or disrupt monitoring processes. This undermines the integrity and trustworthiness of the security monitoring environment. Organizations relying on Wazuh for compliance and threat detection could face increased risk of undetected intrusions or data leakage. The impact is particularly significant for sectors with stringent compliance requirements such as finance, healthcare, and critical infrastructure, where unauthorized agent registration could lead to regulatory violations and reputational damage. Since the vulnerability requires authenticated access, insider threats or compromised credentials pose the greatest risk. However, the ease of exploitation and lack of need for user interaction increase the attack surface within affected environments.

European organizations should immediately upgrade all Wazuh installations to version 4.13.0 or later, where this vulnerability is patched. Until upgrades can be performed, restrict read-only API roles strictly and audit their usage to detect any anomalous access patterns. Implement strong authentication mechanisms and rotate API credentials regularly to minimize the risk of credential compromise. Monitor API endpoint access logs, especially calls to /utils/configuration, for unauthorized attempts to retrieve enrollment credentials. Employ network segmentation to limit API access to trusted management networks and enforce least privilege principles for all users and services interacting with the Wazuh API. Additionally, conduct internal security reviews to ensure no unauthorized agents have been registered and validate the integrity of existing agents. Incorporate these checks into regular security audits and incident response plans.