cvelistv5 - CVE-2025-34294

CVE-2025-34294 (GCVE-0-2025-34294)

Vulnerability from cvelistv5 – Published: 2025-10-28 15:48 – Updated: 2025-12-19 14:24

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as the behavior originates from a documentation-published Active Response example script. Please refer to this advisory ( https://github.com/wazuh/wazuh-documentation/security/advisories/GHSA-46r5-xp98-fpgg ) for further information.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "providerMetadata": {
        "dateUpdated": "2025-12-19T14:24:12.863Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "rejectedReasons": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as the behavior originates from a documentation-published Active Response example script. Please refer to this advisory (\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/wazuh/wazuh-documentation/security/advisories/GHSA-46r5-xp98-fpgg\"\u003ehttps://github.com/wazuh/wazuh-documentation/security/advisories/GHSA-46r5-xp98-fpgg\u003c/a\u003e)\u0026nbsp;for further information."
            }
          ],
          "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as the behavior originates from a documentation-published Active Response example script. Please refer to this advisory ( https://github.com/wazuh/wazuh-documentation/security/advisories/GHSA-46r5-xp98-fpgg )\u00a0for further information."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2025-34294",
    "datePublished": "2025-10-28T15:48:15.981Z",
    "dateRejected": "2025-12-19T14:23:42.185Z",
    "dateReserved": "2025-04-15T19:15:22.581Z",
    "dateUpdated": "2025-12-19T14:24:12.863Z",
    "state": "REJECTED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-34294\",\"sourceIdentifier\":\"disclosure@vulncheck.com\",\"published\":\"2025-10-28T16:15:37.167\",\"lastModified\":\"2025-12-19T15:15:55.860\",\"vulnStatus\":\"Rejected\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as the behavior originates from a documentation-published Active Response example script. Please refer to this advisory ( https://github.com/wazuh/wazuh-documentation/security/advisories/GHSA-46r5-xp98-fpgg )\u00a0for further information.\"}],\"metrics\":{},\"references\":[]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"shortName\": \"VulnCheck\", \"dateUpdated\": \"2025-12-19T14:24:12.863Z\"}, \"rejectedReasons\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as the behavior originates from a documentation-published Active Response example script. Please refer to this advisory (\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://github.com/wazuh/wazuh-documentation/security/advisories/GHSA-46r5-xp98-fpgg\\\"\u003ehttps://github.com/wazuh/wazuh-documentation/security/advisories/GHSA-46r5-xp98-fpgg\u003c/a\u003e)\u0026nbsp;for further information.\"}], \"value\": \"This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as the behavior originates from a documentation-published Active Response example script. Please refer to this advisory ( https://github.com/wazuh/wazuh-documentation/security/advisories/GHSA-46r5-xp98-fpgg )\\u00a0for further information.\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-34294\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"state\": \"REJECTED\", \"assignerShortName\": \"VulnCheck\", \"dateReserved\": \"2025-04-15T19:15:22.581Z\", \"datePublished\": \"2025-10-28T15:48:15.981Z\", \"dateUpdated\": \"2025-12-19T14:24:12.863Z\", \"dateRejected\": \"2025-12-19T14:23:42.185Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-8V97-27J3-GGR7

Vulnerability from github – Published: 2025-10-28 18:30 – Updated: 2025-10-28 18:30

Details

Wazuh's File Integrity Monitoring (FIM), when configured with automatic threat removal, contains a time-of-check/time-of-use (TOCTOU) race condition that can allow a local, low-privileged attacker to cause the Wazuh service (running as NT AUTHORITY\SYSTEM) to delete attacker-controlled files or paths. The root cause is insufficient synchronization and lack of robust final-path validation in the threat-removal workflow: the agent records an active-response action and proceeds to perform deletion without guaranteeing the deletion target is the originally intended file. This can result in SYSTEM-level arbitrary file or folder deletion and consequent local privilege escalation. Wazuh made an attempted fix via pull request 8697 on 2025-07-10, but that change was incomplete.

Severity ?

7.1 (High)


                  
                    CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-34294"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-367"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-28T16:15:37Z",
    "severity": "HIGH"
  },
  "details": "Wazuh\u0027s File Integrity Monitoring (FIM), when configured with automatic threat removal, contains a time-of-check/time-of-use (TOCTOU) race condition that can allow a local, low-privileged attacker to cause the Wazuh service (running as NT AUTHORITY\\SYSTEM) to delete attacker-controlled files or paths. The root cause is insufficient synchronization and lack of robust final-path validation in the threat-removal workflow: the agent records an active-response action and proceeds to perform deletion without guaranteeing the deletion target is the originally intended file. This can result in SYSTEM-level arbitrary file or folder deletion and consequent local privilege escalation. Wazuh made an attempted fix via pull request 8697 on 2025-07-10, but that change was incomplete.",
  "id": "GHSA-8v97-27j3-ggr7",
  "modified": "2025-10-28T18:30:29Z",
  "published": "2025-10-28T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34294"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wazuh/wazuh-documentation/pull/8697"
    },
    {
      "type": "WEB",
      "url": "https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html"
    },
    {
      "type": "WEB",
      "url": "https://wazuh.com/blog/detecting-and-responding-to-malicious-files-using-cdb-lists-and-active-response"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/wazuh-file-integrity-monitoring-and-active-response-arbitrary-file-deletion-as-system"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

FKIE_CVE-2025-34294

Vulnerability from fkie_nvd - Published: 2025-10-28 16:15 - Updated: 2025-12-19 15:15

Severity ?

Summary

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as the behavior originates from a documentation-published Active Response example script. Please refer to this advisory ( https://github.com/wazuh/wazuh-documentation/security/advisories/GHSA-46r5-xp98-fpgg ) for further information.

References

	URL	Tags

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as the behavior originates from a documentation-published Active Response example script. Please refer to this advisory ( https://github.com/wazuh/wazuh-documentation/security/advisories/GHSA-46r5-xp98-fpgg )\u00a0for further information."
    }
  ],
  "id": "CVE-2025-34294",
  "lastModified": "2025-12-19T15:15:55.860",
  "metrics": {},
  "published": "2025-10-28T16:15:37.167",
  "references": [],
  "sourceIdentifier": "disclosure@vulncheck.com",
  "vulnStatus": "Rejected"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-34294 (GCVE-0-2025-34294)

GHSA-8V97-27J3-GGR7

FKIE_CVE-2025-34294

Tags

Sightings

Nomenclature