{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15612", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-20T16:24:45.413Z", "datePublished": "2026-03-27T18:16:11.058Z", "dateUpdated": "2026-03-27T19:48:43.866Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-27T19:48:43.866Z"}, "title": "Wazuh Provisioning Scripts / Build Infrastructure Improper Certificate Validation leading to MITM and RCE", "descriptions": [{"lang": "en", "value": "Wazuh provisioning scripts and Dockerfiles contain an insecure transport vulnerability where curl is invoked with the -k/--insecure flag, disabling SSL/TLS certificate validation. Attackers with network access can perform man-in-the-middle attacks to intercept and modify downloaded dependencies or code during the build process, leading to remote code execution and supply chain compromise."}], "datePublic": "2025-12-04T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-295", "description": "CWE-295 Improper Certificate Validation", "type": "CWE"}, {"lang": "en", "cweId": "CWE-829", "description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere", "type": "CWE"}]}], "affected": [{"vendor": "Wazuh", "product": "Wazuh Provisioning Scripts (Agent Build Environment)", "versions": [{"status": "affected", "version": ">=4.1.3", "versionType": "semver"}, {"status": "unaffected", "version": ">=4.14.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 4.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}}], "references": [{"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-wvg9-7q49-c7mg", "tags": ["vendor-advisory"]}, {"url": "https://www.vulncheck.com/advisories/various-uses-of-curl-without-verifying-the-authenticity-of-the-ssl-certificate-leading-to-mitm-rce-in-build-infrastructure", "tags": ["third-party-advisory"]}], "credits": [{"lang": "en", "value": "JLLeitschuh", "type": "finder"}, {"lang": "en", "value": "vikman90", "type": "reporter"}], "x_generator": {"engine": "manual"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Wazuh provisioning scripts and Dockerfiles contain an insecure transport vulnerability where curl is invoked with the -k/--insecure flag, disabling SSL/TLS certificate validation. Attackers with network access can perform man-in-the-middle attacks to intercept and modify downloaded dependencies or code during the build process, leading to remote code execution and supply chain compromise."}], "id": "CVE-2025-15612", "lastModified": "2026-03-27T19:16:41.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-27T19:16:41.690", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-wvg9-7q49-c7mg"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/various-uses-of-curl-without-verifying-the-authenticity-of-the-ssl-certificate-leading-to-mitm-rce-in-build-infrastructure"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}, {"lang": "en", "value": "CWE-829"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T19:51:09.850511+00:00", "value": {"mitigation_remediation": ["Remove the -k/--insecure flag from all curl commands in provisioning scripts and Dockerfiles. ", "Enforce SSL/TLS certificate validation by using the default curl behavior or by specifying trusted certificates. ", "Validate the integrity of downloaded dependencies using checksums or signature verification. ", "Review build artifacts for unexpected changes and perform regular integrity checks. ", "Keep provisioning scripts and Dockerfiles up to date with vendor updates that address the issue."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution via MITM on Build Infrastructure"}, "threat_synthesis": {"affected_systems": "Wazuh provisioning scripts and Dockerfiles used in the Agent Build Environment are affected. No specific version information is available; the issue exists whenever the insecure curl usage is present.", "description_and_impact": "The vulnerability arises when curl is invoked with the -k/--insecure flag, which disables SSL/TLS certificate validation in provisioning scripts and Dockerfiles. This allows an attacker who can intercept network traffic to perform a man\u2011in\u2011the\u2011middle attack, modifying dependencies or code downloaded during the build process. The attacker can then inject malicious payloads that execute within the build environment, leading to remote code execution and supply chain compromise.", "risk_and_exploitability": "The CVSS score of 6.3 indicates moderate severity. The EPSS score is not available, but the requirement of network access to intercept traffic suggests a moderate likelihood of exploitation. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, yet it allows an attacker to tamper with the build code, potentially compromising any deployed agents. The overall risk is moderate to high depending on the exposure of the build infrastructure to external networks."}}}}, "created": "2026-03-27T20:27:49.593792+00:00", "updated": "2026-03-27T20:27:49.593823+00:00", "vendors": []}