Volerion logoVolerion
Volerion logoVolerion

Wazuh NULL Pointer Dereference Vulnerability in DecodeCiscat Function Allowing Denial-of-Service

Vulnerability

A NULL pointer dereference vulnerability has been identified in Wazuh versions through 4.10.3, within the DecodeCiscat function. This issue arises because the function does not properly validate the return value of cJSON_GetObjectItem, potentially leading to a crash of the analysisd component. An attacker can exploit this vulnerability by sending a specially crafted message from a compromised agent to the Wazuh manager, causing analysisd to become unavailable.

Impact

Exploitation of this vulnerability leads to a crash of the analysisd process, causing it to become unresponsive and unavailable for normal operations.

Reproduction

The vulnerability can be reproduced by sending a message from a Wazuh agent to the manager that includes a specific payload designed to trigger the NULL pointer dereference. This can be done by enrolling a new agent (if agent enrollment is open) or by compromising an existing agent.

Remediation

Users can upgrade to Wazuh version 4.11.0 or later to address this vulnerability.

Added: Oct 29, 2025, 5:18 PM
Updated: Oct 29, 2025, 5:18 PM

Vulnerability Rating

Custom Algorithm
spread
6.2
impact
0.6
exploitability
8.0
remediation
7.7
relevance
0.8
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.