Horizon Alert
Summary of the vulnerability and why it matters
A vulnerability has been identified in Wazuh Manager that could allow enrolled agents to manipulate critical security data by injecting malicious operations. This occurs when the manager improperly handles data values, enabling unauthorized document deletion, alert tampering, and manipulation of security information across agents.
- Agents can alter security data and alerts.
- Leadership should recall risks to security data integrity.
- Confirm relevance and exposure of this system.
Attack Path
How an attacker could exploit the issue
An attacker with access to an enrolled agent could manipulate data sent to the Wazuh Manager. By crafting special requests, they can inject commands that the manager executes with its own administrative privileges, potentially altering or deleting critical security data.
- Requires an enrolled agent.
- Injects commands via agent data.
- Risks data tampering and deletion.
Live Threat
Current exploitation, exposure, and threat context
Wazuh Manager could allow enrolled agents to inject arbitrary NDJSON operations into OpenSearch bulk requests, potentially impacting system data and service behavior. This could occur when the `DataValue.index` field is not properly escaped, enabling attackers to execute delete, index, or update operations under the manager's administrative credentials. The consequences may include document deletion and alert tampering when supported by the advisory.
- System data and alerts at risk.
- Agents inject NDJSON operations.
- Document deletion and alert tampering.
Operational Fix
Recommended remediation, mitigation, and detection steps
This vulnerability impacts Wazuh Manager deployments where agents can interact with the manager's OpenSearch bulk requests. The immediate priority is for infrastructure or platform teams to identify all instances of the affected Wazuh Manager, assess their network exposure and criticality, and confirm ownership. Once these are understood, a coordinated remediation plan, potentially involving vendor coordination or temporary risk reduction measures, can be developed and executed, likely during a planned maintenance window.
- Infrastructure or Platform Teams should own the issue.
- Verify manager reachability and asset criticality.
- Plan remediation during a maintenance window.