CVE-2025-64483
MEDIUMwazuh-dashboard-plugins 4.9.0-4.12.9 - Credential Exposure via /utils/configuration
Title source: llmDescription
Wazuh is a security detection, visibility, and compliance open source project. From version 4.9.0 to before 4.13.0, the Wazuh API – Agent Configuration in certain configurations allows authenticated users with read-only API roles to retrieve agent enrollment credentials through the /utils/configuration endpoint. These credentials can be used to register new agents within the same Wazuh tenant without requiring elevated permissions through the UI. This issue has been patched in version 4.13.0.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/wazuh/wazuh-dashboard-plugins/security/advisories/GHSA-gwf3-8gm3-qrmj
Scores
CVSS v4
5.3
EPSS
0.0022
EPSS Percentile
12.7%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-284
Status
published
Products (1)
wazuh/wazuh-dashboard-plugins
>= 4.9.0, < 4.13.0
Published
Nov 21, 2025
Tracked Since
Feb 18, 2026