What is CVE-2025-15617?

CVE-2025-15617 is a high-severity vulnerability in Wazuh that exposes the GITHUB_TOKEN through GitHub Actions workflow artifacts. This vulnerability can lead to unauthorized actions within a limited time frame. Organizations are urged to prioritize patching to mitigate risk.

What is the severity of CVE-2025-15617?

CVE-2025-15617 has a severity rating of HIGH with a CVSS base score of 8.3.

CVE-2025-15617 | High Vulnerability in Wazuh

CVE-2025-15617 identifies a significant vulnerability in Wazuh version 4.12.0. This vulnerability allows attackers to extract the GITHUB_TOKEN from uploaded GitHub Actions workflow artifacts. The exposed token can be exploited within a limited time frame to perform unauthorized actions, including pushing malicious commits or altering release tags. With a CVSS score of 8.3, this vulnerability is classified as high severity, indicating a serious risk to organizations utilizing this software.

Risk to organizations includes potential unauthorized access and manipulation of code repositories, which can significantly impact the integrity of software development processes. Given the nature of GitHub Actions and their integration into CI/CD pipelines, the exploitation of this vulnerability can lead to severe consequences. Organizations using Wazuh are strongly encouraged to address this vulnerability in their patch cycles.

Currently, there are no known public exploits for this vulnerability, and it has not been included in the Known Exploited Vulnerabilities (KEV) catalog. However, the nature of the vulnerability presents an urgent risk, and organizations should prioritize patching immediately.

The publication date of this vulnerability is March 27, 2026, and it has been analyzed for potential impacts and remediation strategies. The urgency for defenders to mitigate this risk cannot be overstated.

Vulnerability Details

Wazuh version 4.12.0 contains an exposure vulnerability in GitHub Actions workflow artifacts that allows attackers to extract the GITHUB_TOKEN from uploaded artifacts. This vulnerability is classified under CWE-522, indicating an exposure of sensitive information. The CVSS score for this vulnerability is 8.3, reflecting a high severity level due to its potential impact on integrity and availability.

Technical Analysis

The root cause of this vulnerability lies in the exposure of sensitive tokens through workflow artifacts in GitHub Actions. The attack vector is network-based, with a high attack complexity, meaning that potential attackers need to exploit multiple conditions to successfully execute an attack. This vulnerability requires no privileges and no user interaction, making it particularly dangerous.

Risk & Impact Analysis

The real-world risk associated with this vulnerability is significant, primarily due to the potential for unauthorized modifications to software repositories. This can lead to compromised code integrity and introduce malicious changes into production environments. The urgency for organizations to patch this vulnerability is high, given its impact on availability and integrity, as indicated by its CVSS score and the critical nature of tokens involved.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The affected version of Wazuh is 4.12.0. Organizations should consider all versions prior to vendor patch as vulnerable.

Mitigation & Remediation

Organizations should prioritize applying available patches as soon as possible. For those unable to immediately patch, consider implementing additional security measures such as restricting access to GitHub Actions workflows and regularly monitoring for unauthorized changes. More information on effective security practices can be found in our guide on penetration testing methodology to enhance your security posture.

Detection Guidance

Monitoring for unusual activities in GitHub Actions workflows and reviewing commit histories can help in detecting potential exploitation attempts. Organizations should also ensure that logs are maintained for auditing and forensic purposes.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2025-15617 highlights the need for organizations to implement secure coding practices and continuous monitoring of their CI/CD pipelines. This vulnerability represents an ongoing trend of exposing sensitive information through development tools, underscoring the importance of security awareness in development teams. Security teams should learn from this incident to enhance their security frameworks and adopt best practices in security testing best practices to prevent similar vulnerabilities.

For organizations using cloud technologies, regular assessments and adherence to guidelines in our cloud security assessment guide can help mitigate exposure risks.

Lastly, implementing a robust incident response plan is crucial for addressing and managing vulnerabilities as they arise.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2025-15617: High Vulnerability in Wazuh