CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 15, 2026

Critical Wazuh Vulnerability Lets Attackers Tamper with Alerts and Delete Security Evidence

Cybersecurity News Archived Jun 15, 2026 ✓ Full text saved

A critical security flaw in Wazuh Manager has been disclosed that could allow remote attackers to manipulate security alerts, delete forensic evidence, and tamper with SIEM data across environments. The vulnerability carries a maximum CVSS score of 10.0, highlighting its severe impact and ease of exploitation. The issue affects Wazuh Manager version 5.0.0-beta1 and stems […] The post Critical Wazuh Vulnerability Lets Attackers Tamper with Alerts and Delete Security Evidence appeared first on Cyb

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Critical Wazuh Vulnerability Lets Attackers Tamper with Alerts and Delete Security Evidence By Abinaya June 15, 2026 A critical security flaw in Wazuh Manager has been disclosed that could allow remote attackers to manipulate security alerts, delete forensic evidence, and tamper with SIEM data across environments. The vulnerability carries a maximum CVSS score of 10.0, highlighting its severe impact and ease of exploitation. The issue affects Wazuh Manager version 5.0.0-beta1 and stems from an NDJSON injection flaw in the newly introduced inventory_sync subsystem. m_bulkData.append(R"({"index":{"_index":")"); m_bulkData.append(index); // Untrusted input m_bulkData.append(R"("}})"); m_bulkData.append("\n"); The vulnerability allows a malicious or compromised agent to inject arbitrary OpenSearch bulk operations by abusing the DataValue.index field, which is improperly handled without sanitization. Wazuh Vulnerability Wazuh Manager forwards agent-supplied data directly to the OpenSearch _bulk API. However, while fields such as _id are properly escaped, the _index field is appended without validation or filtering. This inconsistency enables attackers to inject additional operations, such as delete, index, or update, into the request payload. By injecting payloads such as: wazuh-states-inventory"}} {} {"delete":{"_index":"wazuh-alerts-*","_id":"target-doc"}} {"index":{"_index":"x By embedding specially crafted newline characters and JSON fragments into the index field, an attacker can smuggle unauthorized bulk actions into the index. These malicious operations are executed under the Wazuh indexer credentials, which, by default, often have admin privileges with full access. The attack requires no authentication because of insecure default configurations in wazuh-authd that allow anonymous agent enrollment. Once enrolled, an attacker can: Delete arbitrary documents from Wazuh indices, effectively erasing alerts and logs. Modify vulnerability and inventory data for other agents. Inject malicious content into Kibana dashboards for persistence or analyst targeting. Perform cross-tenant data manipulation in shared environments. PoC repository (source : Github) Researchers demonstrated a full end-to-end exploit over standard Wazuh communication channels (TCP ports 1514 and 1515), confirming that injected delete operations successfully removed targeted records from the backend. The vulnerability is primarily categorized under CWE-74 (Injection), along with CWE-93 (CRLF Injection) and CWE-863 (Incorrect Authorization). The root cause lies in the lack of input validation and improper neutralization of special characters in the DataValue.index field. Because the Wazuh Manager uses high-privileged OpenSearch credentials stored in its keystore, the flaw effectively grants attackers administrative control over the security data it indexes. According to the GitHub advisory GHSA-ff9g-85jq-r3g3, the issue has been fixed in Wazuh version 5.0.0-beta3. Users are strongly advised to upgrade immediately. Recommended Mitigations Implement strict validation for index names based on OpenSearch rules. Escape all user-controlled input before constructing bulk requests. Avoid using high-privilege roles, such as admin, for indexer operations. Disable anonymous agent enrollment and enforce secure authentication. This vulnerability poses a significant risk to organizations relying on Wazuh for threat detection and response. By enabling silent data tampering and evidence removal, attackers can evade detection and undermine trust in security monitoring systems. Organizations using affected versions should treat this as a priority patching event and review logs for any signs of unauthorized index modifications. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News GreatXML BitLocker Bypass 0-Day Exploited Via Windows Defender Offline Scan Hackers Deploy MLTBackdoor Malware via Multi-Stage ClickFix Infection Chain Anthropic’s Claude Fable 5 Alleged Jailbreak to Generate Stack Exploits New Lucid Stealer Targets 18 Browsers, Crypto Wallets, and Discord Tokens With Hidden Remote Access Hackers Abuse Fake Utility Downloads to Install ScreenConnect and Mine Cryptocurrency Latest News Cyber Security News WinRAR Vulnerability Exploited by Russian Hackers to Deploy GIFTEDCROOK Stealer Cyber Security News Palo Alto Warns of GlobalProtect VPN Vulnerability Actively Exploited in the Wild Cyber Security News Threat Actor Malware Platform Exposed via Unlocked PHP Installation Page Uncategorized Criminal IP at Infosecurity Europe 2026: Introducing AITEM, the Next Chapter of Attack Surface Management Cyber Security Maine Takes Data Breach Reporting Portal Offline After Fake VRChat and Discord Filings
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 15, 2026
    Archived
    Jun 15, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗