Critical Wazuh Manager Vulnerability Allows Remote Data Tampering and Evidence Deletion
A severe security flaw in Wazuh Manager (CVE pending, CVSS 10.0) has been disclosed, enabling remote attackers to manipulate security alerts, delete forensic evidence, and tamper with SIEM data. The vulnerability affects Wazuh Manager 5.0.0-beta1 and stems from an NDJSON injection flaw in the inventory_sync subsystem, where untrusted input in the DataValue.index field is improperly sanitized.
The flaw allows malicious or compromised agents to inject arbitrary OpenSearch bulk operations by embedding crafted JSON fragments and newline characters into the _index field. While other fields (e.g., _id) are properly escaped, the _index field is appended without validation, enabling attackers to smuggle unauthorized actions such as delete, index, or update operations into requests.
Exploiting this vulnerability requires no authentication due to insecure default configurations in wazuh-authd, which permits anonymous agent enrollment. Once enrolled, attackers can:
- Delete arbitrary documents from Wazuh indices, erasing logs and alerts.
- Modify vulnerability and inventory data for other agents.
- Inject malicious content into Kibana dashboards for persistence or misdirection.
- Manipulate cross-tenant data in shared environments.
Researchers demonstrated a proof-of-concept (PoC) exploit over standard Wazuh communication channels (TCP ports 1514/1515), confirming that injected operations execute under the high-privileged OpenSearch credentials stored in Wazuh’s keystore. The flaw is classified under CWE-74 (Injection), CWE-93 (CRLF Injection), and CWE-863 (Incorrect Authorization), with the root cause tied to lack of input validation and improper neutralization of special characters.
The issue has been patched in Wazuh 5.0.0-beta3 (GitHub advisory GHSA-ff9g-85jq-r3g3). Organizations using affected versions are advised to upgrade immediately and review logs for unauthorized index modifications. The vulnerability poses a critical risk to threat detection and response integrity, as attackers can silently alter security data to evade detection.
Source: https://cybersecuritynews.com/wazuh-vulnerability/
Wazuh TPRM report: https://www.rankiteo.com/company/wazuh
"id": "waz1781519186",
"linkid": "wazuh",
"type": "Vulnerability",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Organizations using Wazuh '
'Manager 5.0.0-beta1',
'industry': 'Cybersecurity',
'name': 'Wazuh',
'type': 'Cybersecurity Software Provider'}],
'attack_vector': 'Remote',
'customer_advisories': 'Organizations using affected versions are advised to '
'upgrade immediately and review logs for unauthorized '
'index modifications.',
'data_breach': {'sensitivity_of_data': 'High (forensic evidence, security '
'monitoring data)',
'type_of_data_compromised': 'Security logs, alerts, '
'vulnerability data, inventory '
'data, Kibana dashboard content'},
'description': 'A severe security flaw in Wazuh Manager (CVE pending, CVSS '
'10.0) has been disclosed, enabling remote attackers to '
'manipulate security alerts, delete forensic evidence, and '
'tamper with SIEM data. The vulnerability affects Wazuh '
'Manager 5.0.0-beta1 and stems from an NDJSON injection flaw '
'in the `inventory_sync` subsystem, where untrusted input in '
'the `DataValue.index` field is improperly sanitized. The flaw '
'allows malicious or compromised agents to inject arbitrary '
'OpenSearch bulk operations by embedding crafted JSON '
'fragments and newline characters into the `_index` field. '
'Exploiting this vulnerability requires no authentication due '
'to insecure default configurations in `wazuh-authd`, which '
'permits anonymous agent enrollment. Once enrolled, attackers '
'can delete arbitrary documents, modify vulnerability and '
'inventory data, inject malicious content into Kibana '
'dashboards, and manipulate cross-tenant data in shared '
'environments.',
'impact': {'brand_reputation_impact': 'Critical risk to security product '
'integrity',
'data_compromised': 'Security alerts, forensic evidence, SIEM '
'data, vulnerability and inventory data, '
'Kibana dashboards',
'operational_impact': 'Threat detection and response integrity '
'compromised, potential evasion of security '
'controls',
'systems_affected': 'Wazuh Manager 5.0.0-beta1'},
'lessons_learned': 'Importance of input validation, proper neutralization of '
'special characters, and secure default configurations in '
'security software.',
'post_incident_analysis': {'corrective_actions': 'Patch applied in Wazuh '
'5.0.0-beta3, improved input '
'sanitization, and secure '
'default configurations',
'root_causes': 'Lack of input validation in '
'`DataValue.index` field, improper '
'neutralization of special '
'characters, insecure default '
'configurations in `wazuh-authd`'},
'recommendations': 'Upgrade to Wazuh 5.0.0-beta3 immediately, review logs for '
'unauthorized modifications, and audit agent enrollment '
'processes.',
'references': [{'source': 'GitHub Advisory', 'url': 'GHSA-ff9g-85jq-r3g3'}],
'response': {'containment_measures': 'Upgrade to Wazuh 5.0.0-beta3',
'recovery_measures': 'Review logs for unauthorized index '
'modifications',
'remediation_measures': 'Patch applied in Wazuh 5.0.0-beta3 '
'(GHSA-ff9g-85jq-r3g3)'},
'title': 'Critical Wazuh Manager Vulnerability Allows Remote Data Tampering '
'and Evidence Deletion',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'NDJSON injection in `inventory_sync` subsystem '
'(CWE-74, CWE-93, CWE-863)'}