Vulnerability Inventory not working on Windows hosts

155 views

Skip to first unread message

Daniel

unread,

Apr 14, 2026, 10:07:09 AM (13 days ago) Apr 14

to Wazuh | Mailing List

Wazuhh 4.14.3

Config on target:


<ossec_config>

<client>
<server>
<address>10.1.2.57</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>windows, windows2019, windows-server, windows-server-2019</config-profile>
<crypto_method>aes</crypto_method>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
<enrollment>
<enabled>yes</enabled>
<manager_address>10.1.2.57</manager_address>
<groups>default,windows</groups>
</enrollment>
</client>


<client_buffer>
<disabled>no</disabled>
<queue_size>5000</queue_size>
<events_per_second>500</events_per_second>
</client_buffer>


<localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
</localfile>

<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
</localfile>

<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
</localfile>

<localfile>
<location>active-response\active-responses.log</location>
<log_format>syslog</log_format>
</localfile>


<rootcheck>
<disabled>no</disabled>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>


<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>


<syscheck>

<disabled>no</disabled>


<frequency>43200</frequency>


<directories recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$">%WINDIR%</directories>

<directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$">%WINDIR%\SysNative</directories>
<directories recursion_level="0">%WINDIR%\SysNative\drivers\etc</directories>
<directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\SysNative\wbem</directories>
<directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\SysNative\WindowsPowerShell\v1.0</directories>
<directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\SysNative</directories>


<directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$">%WINDIR%\System32</directories>
<directories recursion_level="0">%WINDIR%\System32\drivers\etc</directories>
<directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\System32\wbem</directories>
<directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\System32\WindowsPowerShell\v1.0</directories>
<directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\System32</directories>

<directories realtime="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>

<ignore>%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini</ignore>

<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>


<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>

<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>

<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>


<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final</registry_ignore>


<windows_audit_interval>60</windows_audit_interval>


<process_priority>10</process_priority>


<max_eps>100</max_eps>


<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>


<wodle name="syscollector">
<disabled>no</disabled>
<interval>5m</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<users>yes</users>
<groups>yes</groups>
<services>yes</services>
<browser_extensions>yes</browser_extensions>
<hotfixes>yes</hotfixes>


<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>


<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>

<java_path>\\server\jre\bin\java.exe</java_path>
<ciscat_path>C:\cis-cat</ciscat_path>
</wodle>


<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<bin_path>C:\Program Files\osquery\osqueryd</bin_path>
<log_path>C:\Program Files\osquery\log\osqueryd.results.log</log_path>
<config_path>C:\Program Files\osquery\osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>


<active-response>
<disabled>no</disabled>
<ca_store>wpk_root.pem</ca_store>
<ca_verification>yes</ca_verification>
</active-response>


<logging>
<log_format>plain</log_format>
</logging>

</ossec_config>



Logs:
2026/04/14 11:43:17 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2026/04/14 11:43:28 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2026/04/14 11:48:29 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2026/04/14 11:48:40 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2026/04/14 11:53:41 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2026/04/14 11:53:50 wazuh-modulesd:syscollector: INFO: Evaluation finished.

No data showing in Vulnerability Detection for the host. Linux hosts have that page filled with data Screenshot 2026-04-14 115929.png

Gustavo Choquevilca

unread,

Apr 14, 2026, 11:32:40 AM (13 days ago) Apr 14

to Wazuh | Mailing List

Hello,

Based on what you’ve described, the issue does not seem to be on the server side, since vulnerability detection is working correctly for Linux agents.

The problem is likely on the agent side, specifically related to the syscollector module, which is responsible for sending system inventory data to the Wazuh manager for analysis.

Please review the following points:

Check if there is any centralized configuration disabling the syscollector module. For example, in the default centralized file:
/var/ossec/etc/shared/default/agent.conf
Ensure syscollector is enabled:

<wodle name="syscollector">
<disabled>no</disabled>

...
</wodle>
Keep in mind that centralized configuration always takes precedence over the local agent configuration.
Try restarting the agent after making any configuration changes, as they will not be applied until the agent is fully restarted.
Check the agent logs for any errors related to syscollector or vulnerability detection.

Could you also confirm:

Which Windows versions are affected?
Are the Windows agents properly connected to the manager?
Do you see any errors in ossec.log related to the Vulnerability Detector module?

On the manager:

cat /var/ossec/logs/ossec.log | grep -i -E "error|warn" cat /var/ossec/logs/ossec.log | grep -i -E "vulnerability|indexer-connector"

On the agent:

Get-Content "C:\Program Files (x86)\ossec-agent\ossec.log" | Select-String -Pattern "syscollector"

Additionally, you can enable debug logging on the manager to gather more details about Vulnerability Detection:

wazuh_modules.debug=2

Add this to local_internal_options.conf and restart the manager afterwards.

Please share this information so I can help you identify the root cause.

Gustavo Choquevilca

unread,

Apr 14, 2026, 3:08:42 PM (13 days ago) Apr 14

to Wazuh | Mailing List

As a correction: "Which Windows versions are affected?" -> I meant to ask which version of Windows agents is affected?

Gustavo Choquevilca

unread,

Apr 16, 2026, 6:37:40 AM (11 days ago) Apr 16

to Wazuh | Mailing List

Hello Daniel,

I just wanted to follow up on this issue. Were you able to review the previous suggestions or make any progress on your side?

If you’re still experiencing the problem, feel free to share the requested information or let me know if you have any questions. I’ll be happy to assist further.

Daniel

unread,

Apr 16, 2026, 9:11:34 AM (11 days ago) Apr 16

to Wazuh | Mailing List

Hi Gustavo,

sorry for the late answer, been busy.

Agents are all part of the default and windows groups
1. Windows group has the following config:
  <agent_config>
  
  <localfile>
  <location>Microsoft-Windows-Windows Firewall With Advanced Security/Firewall</location>
  <log_format>eventchannel</log_format>
  <query>Event[System/EventID = 2003 or System/EventID = 2004 or System/EventID = 2005 or System/EventID = 2006]</query>
  </localfile>

1. <localfile>
  <location>Security</location>
  <log_format>eventchannel</log_format>

1. <query>Event[System/EventID = 4624 or System/EventID = 4625 or System/EventID = 4634 or System/EventID = 4647]</query>
  </localfile>
  </agent_config>
Local config on the agent is the following:
1.

1. <wodle name="syscollector">
  <disabled>no</disabled>

1. <interval>1h</interval>

1. <scan_on_start>yes</scan_on_start>
  <hardware>yes</hardware>
  <os>yes</os>
  <network>yes</network>
  <packages>yes</packages>
  <ports all="no">yes</ports>
  <processes>yes</processes>
  <users>yes</users>
  <groups>yes</groups>
  <services>yes</services>
  <browser_extensions>yes</browser_extensions>
  <hotfixes>yes</hotfixes>
  
  
  <synchronization>
  <max_eps>10</max_eps>
  </synchronization>
  </wodle>

Affected hosts are all Windows Servers, ranging from 2012 to 2019 (don't have any non-server Windows in the perimeter)
Agents all appear online
No error appears on agent /server logs related to syscollector or vulnerability detector
Agents and Manager have been restarted but no change
Debug 2 outputted these logs:
1. Apr 16, 2026 @ 17:06:23.000 wazuh-modulesd:vulnerability-scanner DEBUG Scanning OS - 'windows_server_2019' (Installed Version: 10.0.17763.8511, Security Vulnerability: CVE-2025-26674). Identified vulnerability: Version: 10.0.17763.0. Required Version Threshold: 10.0.17763.7136. Required Version Threshold (or Equal): . Apr 16, 2026 @ 17:06:23.000 wazuh-modulesd:vulnerability-scanner DEBUG No match due to default status for OS: windows_server_2019, Version: 10.0.17763.8511 while scanning for Vulnerability: CVE-2025-26674 Apr 16, 2026 @ 17:06:23.000 wazuh-modulesd:vulnerability-scanner DEBUG Scanning OS - 'windows_server_2019' (Installed Version: 10.0.17763.8511, Security Vulnerability: CVE-2025-26676). Identified vulnerability: Version: 10.0.17763.0. Required Version Threshold: 10.0.17763.7136. Required Version Threshold (or Equal): .

Gustavo Choquevilca

unread,

Apr 16, 2026, 10:57:54 AM (11 days ago) Apr 16

to Wazuh | Mailing List

Thank you for sharing the requested information, this rules out manager/indexer/CTI feed issues — the problem is specific to the Windows agents. Here's what we need
to check:

1. Verify syscollector is syncing data to the manager

Run the following against an affected Windows agent (replace {AGENT_ID} and $TOKEN):

Check packages:
curl -k -X GET "https://localhost:55000/syscollector/{AGENT_ID}/packages?pretty=true&limit=5" \
-H "Authorization: Bearer $TOKEN"

Check hotfixes (critical for Windows vulnerability detection)
curl -k -X GET "https://localhost:55000/syscollector/{AGENT_ID}/hotfixes?pretty=true&limit=5" \
-H "Authorization: Bearer $TOKEN"

If these return data → syscollector is working, the issue is in the vulnerability scanner side
If these return empty → syscollector is not syncing properly with the manager

2. Check if any Windows vulnerability data exists in the index

curl -k -u <USER>:<PASSWORD> \
-H "Content-Type: application/json" \
"https://localhost:9200/wazuh-states-vulnerabilities*/_search?pretty" \
-d '{"query":{"term":{"host.os.type":"windows"}},"size":1}'

or for a specific agent

curl -k -u <USER>:<PASSWORD> "https://localhost:9200/wazuh-states-vulnerabilities*/_search?q=agent.id:017&pretty"

3. Check the default group agent.conf

All agents are in the default group. If the default group's agent.conf has a syscollector block with <disabled>yes</disabled>, it would override the local agent config and silently
disable syscollector. Please share the contents of:

/var/ossec/etc/shared/default/agent.conf

4. Check manager logs for Windows vulnerability scanning activity

grep -i "windows\|hotfix\|cti\|feed" /var/ossec/logs/ossec.log | grep -i "vuln\|scanner" | tail -50

5. One config detail to note

The agent's ossec.conf has <config-profile>windows, windows2019, windows-server, windows-server-2019</config-profile> defined. If any agent.conf on the manager uses a matching
<agent_config profile="..."> block that disables syscollector or hotfixes, that would also affect the final config applied to these agents. Please check this.

Please share the output of steps 1 and 2 — that will tell us exactly where in the data flow the problem is occurring.

Gustavo Choquevilca

unread,

Apr 16, 2026, 11:00:13 AM (11 days ago) Apr 16

to Wazuh | Mailing List

correction here: curl -k -u <USER>:<PASSWORD> "https://localhost:9200/wazuh-states-vulnerabilities*/_search?q=agent.id:017&pretty -> should be curl -k -u <USER>:<PASSWORD> "https://localhost:9200/wazuh-states-vulnerabilities*/_search?q=agent.id:{AGENT-ID}&pretty

Gustavo Choquevilca

unread,

Apr 20, 2026, 6:37:28 AM (7 days ago) Apr 20

to Wazuh | Mailing List

Hello Daniel,

I wanted to follow up on this matter and see if you’ve had a chance to review the previous suggestions or make any progress.

If the issue is still ongoing, please feel free to share the requested information or let me know if anything needs clarification. I’ll be glad to assist further.

Daniel

unread,

Apr 21, 2026, 9:52:54 AM (6 days ago) Apr 21

to Wazuh | Mailing List

Hi Gustavo,

thanks for your continuos support. Here the details you requested:

Verify syscollector is syncing data to the manager

1. {
  "data": {
  "affected_items": [
  {
  "scan": {
  "id": 0,
  "time": "2025-10-16T10:41:26+00:00"
  },
  "name": "Microsoft Visual Studio Tools for Applications 2019",
  "architecture": "i686",
  "section": " ",
  "version": "16.0.31110",
  "install_time": "2025-07-07T10:01:58+00:00",
  "description": " ",
  "format": "win",
  "priority": " ",
  "vendor": "Microsoft Corporation",
  "location": " ",
  "source": " ",
  "size": 0,
  "agent_id": "186"
  },
  {
  "scan": {
  "id": 0,
  "time": "2025-10-16T10:41:26+00:00"
  },
  "name": "SQL Server 2016 Batch Parser",
  "architecture": "x86_64",
  "section": " ",
  "version": "13.0.1601.5",
  "install_time": "2020-02-07T15:44:56+00:00",
  "description": " ",
  "format": "win",
  "priority": " ",
  "vendor": "Microsoft Corporation",
  "location": " ",
  "source": " ",
  "size": 0,
  "agent_id": "186"
  },
  {
  "scan": {
  "id": 0,
  "time": "2025-10-16T10:41:27+00:00"
  },
  "name": "Microsoft Visual Studio Tools for Applications 2017 x86 Hosting Support",
  "architecture": "i686",
  "section": " ",
  "version": "15.0.27520",
  "install_time": "2020-02-07T16:20:04+00:00",
  "description": " ",
  "format": "win",
  "priority": " ",
  "vendor": "Microsoft Corporation",
  "location": " ",
  "source": " ",
  "size": 0,
  "agent_id": "186"
  },
  {
  "scan": {
  "id": 0,
  "time": "2025-10-16T10:41:27+00:00"
  },
  "name": "SQL Server 2019 Connection Info",
  "architecture": "x86_64",
  "section": " ",
  "version": "15.0.2000.5",
  "install_time": "2021-03-09T11:34:31+00:00",
  "description": " ",
  "format": "win",
  "priority": " ",
  "vendor": "Microsoft Corporation",
  "location": " ",
  "source": " ",
  "size": 0,
  "agent_id": "186"
  },
  {
  "scan": {
  "id": 0,
  "time": "2025-10-16T10:41:27+00:00"
  },
  "name": "Microsoft SQL Server 2019 T-SQL Language Service",
  "architecture": "x86_64",
  "section": " ",
  "version": "15.0.2000.5",
  "install_time": "2021-03-09T11:38:29+00:00",
  "description": " ",
  "format": "win",
  "priority": " ",
  "vendor": "Microsoft Corporation",
  "location": " ",
  "source": " ",
  "size": 0,
  "agent_id": "186"
  }
  ],
  "total_affected_items": 91,
  "total_failed_items": 0,
  "failed_items": []
  },
  "message": "All specified syscollector information was returned",
  "error": 0
  }
Check if any Windows vulnerability data exists in the index:
1. { "_index": "wazuh-states-vulnerabilities-wazuh", "_id": "142_95e0df4f6fef7705c4b8c0e40f50e1a95667c956_CVE-2025-22247_3081065", "_version": 1, "_score": 0, "_source": { "agent": { "id": "142", "name": "vit92-mdomsa100", "type": "Wazuh", "version": "v4.13.1" }, "host": { "os": { "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8276", "name": "Microsoft Windows Server 2019 Standard", "platform": "windows", "type": "windows", "version": "10.0.17763.8276" } }, "package": { "architecture": "x86_64", "name": "VMware Tools", "path": "C:\\Program Files\\VMware\\VMware Tools\\", "size": 0, "type": "win", "version": "12.1.0.20219665" }, "vulnerability": { "category": "Packages", "classification": "CVSS", "description": "VMware Tools contains an insecure file handling vulnerability. A malicious actor with non-administrative privileges on a guest VM may tamper the local files to trigger insecure file operations within that VM.", "detected_at": "2026-01-26T16:05:13.000Z", "enumeration": "CVE", "id": "CVE-2025-22247", "published_at": "2025-05-12T11:15:49Z", "reference": "http://www.openwall.com/lists/oss-security/2025/05/12/2, http://www.openwall.com/lists/oss-security/2025/05/13/2, https://lists.debian.org/debian-lts-announce/2025/05/msg00017.html, https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25683", "scanner": { "condition": "Package less than 12.5.2", "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2025-22247", "source": "National Vulnerability Database", "vendor": "Wazuh" }, "score": { "base": 6.1, "version": "3.1" }, "severity": "Medium", "under_evaluation": false }, "wazuh": { "cluster": { "name": "wazuh" }, "schema": { "version": "1.0.0" } } }, "fields": { "vulnerability.detected_at": [ "2026-01-26T16:05:13.000Z" ], "vulnerability.published_at": [ "2025-05-12T11:15:49.000Z" ] }, "highlight": { "host.os.platform": [ "@opensearch-dashboards-highlighted-field@windows@/opensearch-dashboards-highlighted-field@" ] } } { "_index": "wazuh-states-vulnerabilities-wazuh", "_id": "142_95e0df4f6fef7705c4b8c0e40f50e1a95667c956_CVE-2025-22247_3081065", "_version": 1, "_score": 0, "_source": { "agent": { "id": "142", "name": "vit92-mdomsa100", "type": "Wazuh", "version": "v4.13.1" }, "host": { "os": { "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8276", "name": "Microsoft Windows Server 2019 Standard", "platform": "windows", "type": "windows", "version": "10.0.17763.8276" } }, "package": { "architecture": "x86_64", "name": "VMware Tools", "path": "C:\\Program Files\\VMware\\VMware Tools\\", "size": 0, "type": "win", "version": "12.1.0.20219665" }, "vulnerability": { "category": "Packages", "classification": "CVSS", "description": "VMware Tools contains an insecure file handling vulnerability. A malicious actor with non-administrative privileges on a guest VM may tamper the local files to trigger insecure file operations within that VM.", "detected_at": "2026-01-26T16:05:13.000Z", "enumeration": "CVE", "id": "CVE-2025-22247", "published_at": "2025-05-12T11:15:49Z", "reference": "http://www.openwall.com/lists/oss-security/2025/05/12/2, http://www.openwall.com/lists/oss-security/2025/05/13/2, https://lists.debian.org/debian-lts-announce/2025/05/msg00017.html, https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25683", "scanner": { "condition": "Package less than 12.5.2", "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2025-22247", "source": "National Vulnerability Database", "vendor": "Wazuh" }, "score": { "base": 6.1, "version": "3.1" }, "severity": "Medium", "under_evaluation": false }, "wazuh": { "cluster": { "name": "wazuh" }, "schema": { "version": "1.0.0" } } }, "fields": { "vulnerability.detected_at": [ "2026-01-26T16:05:13.000Z" ], "vulnerability.published_at": [ "2025-05-12T11:15:49.000Z" ] }, "highlight": { "host.os.platform": [ "@opensearch-dashboards-highlighted-field@windows@/opensearch-dashboards-highlighted-field@" ] } } { "_index": "wazuh-states-vulnerabilities-wazuh", "_id": "142_95e0df4f6fef7705c4b8c0e40f50e1a95667c956_CVE-2025-22247_3081065", "_version": 1, "_score": 0, "_source": { "agent": { "id": "142", "name": "vit92-mdomsa100", "type": "Wazuh", "version": "v4.13.1" }, "host": { "os": { "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8276", "name": "Microsoft Windows Server 2019 Standard", "platform": "windows", "type": "windows", "version": "10.0.17763.8276" } }, "package": { "architecture": "x86_64", "name": "VMware Tools", "path": "C:\\Program Files\\VMware\\VMware Tools\\", "size": 0, "type": "win", "version": "12.1.0.20219665" }, "vulnerability": { "category": "Packages", "classification": "CVSS", "description": "VMware Tools contains an insecure file handling vulnerability. A malicious actor with non-administrative privileges on a guest VM may tamper the local files to trigger insecure file operations within that VM.", "detected_at": "2026-01-26T16:05:13.000Z", "enumeration": "CVE", "id": "CVE-2025-22247", "published_at": "2025-05-12T11:15:49Z", "reference": "http://www.openwall.com/lists/oss-security/2025/05/12/2, http://www.openwall.com/lists/oss-security/2025/05/13/2, https://lists.debian.org/debian-lts-announce/2025/05/msg00017.html, https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25683", "scanner": { "condition": "Package less than 12.5.2", "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2025-22247", "source": "National Vulnerability Database", "vendor": "Wazuh" }, "score": { "base": 6.1, "version": "3.1" }, "severity": "Medium", "under_evaluation": false }, "wazuh": { "cluster": { "name": "wazuh" }, "schema": { "version": "1.0.0" } } }, "fields": { "vulnerability.detected_at": [ "2026-01-26T16:05:13.000Z" ], "vulnerability.published_at": [ "2025-05-12T11:15:49.000Z" ] }, "highlight": { "host.os.platform": [ "@opensearch-dashboards-highlighted-field@windows@/opensearch-dashboards-highlighted-field@" ] } } { "_index": "wazuh-states-vulnerabilities-wazuh", "_id": "142_95e0df4f6fef7705c4b8c0e40f50e1a95667c956_CVE-2025-22247_3081065", "_version": 1, "_score": 0, "_source": { "agent": { "id": "142", "name": "vit92-mdomsa100", "type": "Wazuh", "version": "v4.13.1" }, "host": { "os": { "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8276", "name": "Microsoft Windows Server 2019 Standard", "platform": "windows", "type": "windows", "version": "10.0.17763.8276" } }, "package": { "architecture": "x86_64", "name": "VMware Tools", "path": "C:\\Program Files\\VMware\\VMware Tools\\", "size": 0, "type": "win", "version": "12.1.0.20219665" }, "vulnerability": { "category": "Packages", "classification": "CVSS", "description": "VMware Tools contains an insecure file handling vulnerability. A malicious actor with non-administrative privileges on a guest VM may tamper the local files to trigger insecure file operations within that VM.", "detected_at": "2026-01-26T16:05:13.000Z", "enumeration": "CVE", "id": "CVE-2025-22247", "published_at": "2025-05-12T11:15:49Z", "reference": "http://www.openwall.com/lists/oss-security/2025/05/12/2, http://www.openwall.com/lists/oss-security/2025/05/13/2, https://lists.debian.org/debian-lts-announce/2025/05/msg00017.html, https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25683", "scanner": { "condition": "Package less than 12.5.2", "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2025-22247", "source": "National Vulnerability Database", "vendor": "Wazuh" }, "score": { "base": 6.1, "version": "3.1" }, "severity": "Medium", "under_evaluation": false }, "wazuh": { "cluster": { "name": "wazuh" }, "schema": { "version": "1.0.0" } } }, "fields": { "vulnerability.detected_at": [ "2026-01-26T16:05:13.000Z" ], "vulnerability.published_at": [ "2025-05-12T11:15:49.000Z" ] }, "highlight": { "host.os.platform": [ "@opensearch-dashboards-highlighted-field@windows@/opensearch-dashboards-highlighted-field@" ] } } "_source": { "agent": { "id": "142", "name": "REDACTED", "type": "Wazuh", "version": "v4.13.1" }, "host": { "os": { "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8276", "name": "Microsoft Windows Server 2019 Standard", "platform": "windows", "type": "windows", "version": "10.0.17763.8276" } }, "package": { "architecture": "x86_64", "name": "VMware Tools", "path": "C:\\Program Files\\VMware\\VMware Tools\\", "size": 0, "type": "win", "version": "12.1.0.20219665" }, "vulnerability": { "category": "Packages", "classification": "CVSS", "description": "VMware Tools contains an insecure file handling vulnerability. A malicious actor with non-administrative privileges on a guest VM may tamper the local files to trigger insecure file operations within that VM.", "detected_at": "2026-01-26T16:05:13.000Z", "enumeration": "CVE", "id": "CVE-2025-22247", "published_at": "2025-05-12T11:15:49Z", "reference": "http://www.openwall.com/lists/oss-security/2025/05/12/2, http://www.openwall.com/lists/oss-security/2025/05/13/2, https://lists.debian.org/debian-lts-announce/2025/05/msg00017.html, https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25683", "scanner": { "condition": "Package less than 12.5.2", "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2025-22247", "source": "National Vulnerability Database", "vendor": "Wazuh" }, "score": { "base": 6.1, "version": "3.1" }, "severity": "Medium", "under_evaluation": false }, "wazuh": { "cluster": { "name": "wazuh" }, "schema": { "version": "1.0.0" } } }, "fields": { "vulnerability.detected_at": [ "2026-01-26T16:05:13.000Z" ], "vulnerability.published_at": [ "2025-05-12T11:15:49.000Z" ] }

Check the default group agent.conf

1. <agent_config>

1. </agent_config>

Check manager logs for Windows vulnerability scanning activity

1. 2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-25174). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.8957. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:262 at operator()(): DEBUG: No match due to default status for OS: windows_server_2016, Version: 10.0.14393.8957 while scanning for Vulnerability: CVE-2026-25174
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-25175). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.8957. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:262 at operator()(): DEBUG: No match due to default status for OS: windows_server_2016, Version: 10.0.14393.8957 while scanning for Vulnerability: CVE-2026-25175
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-25176). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.8957. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:262 at operator()(): DEBUG: No match due to default status for OS: windows_server_2016, Version: 10.0.14393.8957 while scanning for Vulnerability: CVE-2026-25176
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-25177). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.8957. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:262 at operator()(): DEBUG: No match due to default status for OS: windows_server_2016, Version: 10.0.14393.8957 while scanning for Vulnerability: CVE-2026-25177
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-25178). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.8957. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:262 at operator()(): DEBUG: No match due to default status for OS: windows_server_2016, Version: 10.0.14393.8957 while scanning for Vulnerability: CVE-2026-25178
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-25179). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.8957. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:262 at operator()(): DEBUG: No match due to default status for OS: windows_server_2016, Version: 10.0.14393.8957 while scanning for Vulnerability: CVE-2026-25179
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-25180). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.8957. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:262 at operator()(): DEBUG: No match due to default status for OS: windows_server_2016, Version: 10.0.14393.8957 while scanning for Vulnerability: CVE-2026-25180
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-25181). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.8957. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:262 at operator()(): DEBUG: No match due to default status for OS: windows_server_2016, Version: 10.0.14393.8957 while scanning for Vulnerability: CVE-2026-25181
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-25185). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.8957. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:262 at operator()(): DEBUG: No match due to default status for OS: windows_server_2016, Version: 10.0.14393.8957 while scanning for Vulnerability: CVE-2026-25185
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-25186). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.8957. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:262 at operator()(): DEBUG: No match due to default status for OS: windows_server_2016, Version: 10.0.14393.8957 while scanning for Vulnerability: CVE-2026-25186
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-25187). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.8957. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:262 at operator()(): DEBUG: No match due to default status for OS: windows_server_2016, Version: 10.0.14393.8957 while scanning for Vulnerability: CVE-2026-25187
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-25188). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.8957. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:262 at operator()(): DEBUG: No match due to default status for OS: windows_server_2016, Version: 10.0.14393.8957 while scanning for Vulnerability: CVE-2026-25188
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-25190). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.8957. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:262 at operator()(): DEBUG: No match due to default status for OS: windows_server_2016, Version: 10.0.14393.8957 while scanning for Vulnerability: CVE-2026-25190
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-26111). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.8957. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:262 at operator()(): DEBUG: No match due to default status for OS: windows_server_2016, Version: 10.0.14393.8957 while scanning for Vulnerability: CVE-2026-26111
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-26128). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.8957. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:262 at operator()(): DEBUG: No match due to default status for OS: windows_server_2016, Version: 10.0.14393.8957 while scanning for Vulnerability: CVE-2026-26128
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-32225). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.9060. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:198 at operator()(): DEBUG: Match found, the OS 'windows_server_2016', is vulnerable to 'CVE-2026-32225'. Current version: '10.0.14393.8957' (less than '10.0.14393.9060' or equal to ''). - Agent 'REDACTED' (ID: '254', Version: 'v4.14.3').
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-33098). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.9060. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:198 at operator()(): DEBUG: Match found, the OS 'windows_server_2016', is vulnerable to 'CVE-2026-33098'. Current version: '10.0.14393.8957' (less than '10.0.14393.9060' or equal to ''). - Agent 'REDACTED' (ID: '254', Version: 'v4.14.3').
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-33099). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.9060. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:198 at operator()(): DEBUG: Match found, the OS 'windows_server_2016', is vulnerable to 'CVE-2026-33099'. Current version: '10.0.14393.8957' (less than '10.0.14393.9060' or equal to ''). - Agent 'REDACTED' (ID: '254', Version: 'v4.14.3').
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-33100). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.9060. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:198 at operator()(): DEBUG: Match found, the OS 'windows_server_2016', is vulnerable to 'CVE-2026-33100'. Current version: '10.0.14393.8957' (less than '10.0.14393.9060' or equal to ''). - Agent 'REDACTED' (ID: '254', Version: 'v4.14.3').
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-33104). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.9060. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:198 at operator()(): DEBUG: Match found, the OS 'windows_server_2016', is vulnerable to 'CVE-2026-33104'. Current version: '10.0.14393.8957' (less than '10.0.14393.9060' or equal to ''). - Agent 'REDACTED' (ID: '254', Version: 'v4.14.3').
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-33824). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.9060. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:198 at operator()(): DEBUG: Match found, the OS 'windows_server_2016', is vulnerable to 'CVE-2026-33824'. Current version: '10.0.14393.8957' (less than '10.0.14393.9060' or equal to ''). - Agent 'REDACTED' (ID: '254', Version: 'v4.14.3').
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-33826). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.9060. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:198 at operator()(): DEBUG: Match found, the OS 'windows_server_2016', is vulnerable to 'CVE-2026-33826'. Current version: '10.0.14393.8957' (less than '10.0.14393.9060' or equal to ''). - Agent 'REDACTED' (ID: '254', Version: 'v4.14.3').
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-33827). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.9060. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:198 at operator()(): DEBUG: Match found, the OS 'windows_server_2016', is vulnerable to 'CVE-2026-33827'. Current version: '10.0.14393.8957' (less than '10.0.14393.9060' or equal to ''). - Agent 'REDACTED' (ID: '254', Version: 'v4.14.3').
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_server_2016' (Installed Version: 10.0.14393.8957, Security Vulnerability: CVE-2026-33829). Identified vulnerability: Version: 10.0.14393.0. Required Version Threshold: 10.0.14393.9060. Required Version Threshold (or Equal): .
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:198 at operator()(): DEBUG: Match found, the OS 'windows_server_2016', is vulnerable to 'CVE-2026-33829'. Current version: '10.0.14393.8957' (less than '10.0.14393.9060' or equal to ''). - Agent 'REDACTED' (ID: '254', Version: 'v4.14.3').
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:394 at handleRequest(): DEBUG: Vulnerability scan for OS 'windows_server_2016' on Agent '254' has completed.
  2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] scanInventorySync.hpp:217 at handleRequest(): DEBUG: No changes in agent element key: 254_Microsoft Windows Server 2016 Standard_10.0.14393.8957

Miguel Angel Cazajous

unread,

Apr 21, 2026, 3:45:56 PM (6 days ago) Apr 21

to Wazuh | Mailing List

Hi Daniel,

One question.

Do you have indexed vulnerabilities (i.e. VMWare) but you do not see any of those in the dashboard?

Also regarding the last logs

2026/04/21 10:41:36 wazuh-modulesd:vulnerability-scanner[1877] osScanner.hpp:198 at operator()(): DEBUG: Match found, the OS 'windows_server_2016', is vulnerable to 'CVE-2026-33829'. Current version: '10.0.14393.8957' (less than '10.0.14393.9060' or equal to ''). - Agent 'REDACTED' (ID: '254', Version: 'v4.14.3').

After a vulnerability is found, the scanner looks for remediations that solve those vulnerabilities. You may found a log similar to this: "Remediation for OS <os_name> on Agent <agent_id> has been found. CVE: '<CVE_ID>'"

Gustavo Choquevilca

unread,

Apr 21, 2026, 3:53:08 PM (6 days ago) Apr 21

to Wazuh | Mailing List

Hi,

Thanks for the logs, they've been very helpful. We have a couple of new things to check.

1. Hotfixes collected by syscollector

Could you run the following command on the manager for one of the affected agents? Replace {AGENT_ID} with the agent ID:

curl -k -X GET "https://localhost:55000/syscollector/{AGENT_ID}/hotfixes?pretty=true" -H "Authorization: Bearer $TOKEN"

This will help us determine whether an installed Windows update might be marking a detected vulnerability as patched, which could explain why nothing shows up in the inventory.

2. Check the RocksDB vulnerability queue

We'd also like to check whether the vulnerability data is actually making it into the internal queue before being sent to the indexer. Could you run the following commands on the manager?

../../rocksdb/build/tools/ldb --db=/var/ossec/queue/indexer/wazuh-states-vulnerabilities-{CLUSTER_NAME}/ scan --> Try this anyway

../../rocksdb/build/tools/ldb --db=/var/ossec/queue/indexer/db/wazuh-states-vulnerabilities-{CLUSTER_NAME}/ scan --> Use this if you have the indexer connected.

Replace {CLUSTER_NAME} with your cluster name (you can find it in /var/ossec/etc/ossec.conf under the <cluster> section).

Ideally we'd like to see if there are any entries for the affected Windows agents in the output. A healthy entry looks like this:

00000000000000002829 ==> {"data":{"agent":{"id":"002","name":"8df11d01c31d","type":"Wazuh","version":"v4.11.2"},"host":{"os":{"full":"CentOS Linux 7.9.2009","kernel":"6.11.0-26-generic","name":"CentOS Linux","platform":"centos","type":"centos","version":"7.9.2009"}},"package":{"architecture":"x86_64","description":"A low-level cryptographic library","installed":"2026-03-26T19:18:13.000Z","name":"nettle","size":765082,"type":"rpm","version":"2.7.1-9.el7_9"},"vulnerability":{"category":"Packages","classification":"CVSS","description":"A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process could use this flaw extract plain text or, in some cases, downgrade any TLS connections to a vulnerable server.","detected_at":"2026-04-21T19:28:04.863Z","enumeration":"CVE","id":"CVE-2018-16869","published_at":"2018-12-03T14:29:00Z","reference":"https://access.redhat.com/security/cve/CVE-2018-16869","scanner":{"condition":"Package default status","reference":"https://cti.wazuh.com/vulnerabilities/cves/CVE-2018-16869","source":"Red Hat CVE Database","vendor":"Wazuh"},"score":{"base":5.7,"version":"3.1"},"severity":"Medium","under_evaluation":false},"wazuh":{"cluster":{"name":"noble"},"schema":{"version":"1.0.0"}}},"id":"002_ff3532ac818bc79bd2860e1ec51dfca340c51078_CVE-2018-16869_3154106","no-index":false,"operation":"INSERTED"}

If the Windows agents have "Match found" in the debug logs but no entries in the RocksDB queue, that would help us pinpoint exactly where the data is being dropped.
Please share this information whenever you have it available!

Daniel

unread,

Apr 22, 2026, 5:06:16 AM (5 days ago) Apr 22

to Wazuh | Mailing List

Hi Miguel, Gustavo,

for Miguel, the main issue seems to be related to the installed packages on Windows. I see plenty of vulnerabilities for Linux VMs (even updated ones, all no fix vulnerabilities) for OS and it's packages, but for Windows i see very few entries (sometimes 0 for yet to update machines) on Windows server hosts and all of the times are only related to the OS, zero vulnerabilities for programs.

for gustavo, here are the details you requested:

Hotfixes collected (there are many more entries with same scan time)
1. {
  "data": {
  "affected_items": [
  {
  "scan_time": "2025-10-16T10:41:26+00:00",
  "hotfix": "KB2151757",
  "scan_id": 0,
  "agent_id": "186"
  },
  {
  "scan_time": "2025-10-16T10:41:26+00:00",
  "hotfix": "KB2267602",
  "scan_id": 0,
  "agent_id": "186"
  },
  {
  "scan_time": "2025-10-16T10:41:26+00:00",
  "hotfix": "KB2467173",
  "scan_id": 0,
  "agent_id": "186"
  },
  {
  "scan_time": "2025-10-16T10:41:27+00:00",
  "hotfix": "KB2468871",
  "scan_id": 0,
  "agent_id": "186"
  },
  {
  "scan_time": "2025-10-16T10:41:27+00:00",
  "hotfix": "KB2478063",
  "scan_id": 0,
  "agent_id": "186"
  }
  }
Check the rocksdb
1. The first command had no output
2. The second command had plenty of entries, i grepped for windows. I attached the log entries

Regards,

Daniel D.

wazuh_vuln_db_windows.txt

Gustavo Choquevilca

unread,

Apr 22, 2026, 7:40:09 AM (5 days ago) Apr 22

to Wazuh | Mailing List

Hello Daniel,
Looking at the RocksDB output you shared, we can see vulnerability data for several Windows agents (017, 261, etc.), which means the scanner is working correctly for those. However, the screenshot of the initial dashboard that you shared in the first comment of this thread shows results filtered by agent ID 168, which does not appear in the RocksDB for Windows output.

Could you check the following:

1. Does agent 168 appear in the RocksDB output you ran earlier?
2. Could you try checking the Vulnerability Inventory in the dashboard for one of the other Windows agents, like 017 or 261, to see if data shows up there?
3. When reviewing the dashboard for one of those agents — specifically the one with issues — could you open the browser developer tools (F12 in Chrome), go to the Network tab, and look for requests to wazuh-states-vulnerabilities? Do you see any errors in the requests being made against opensearch or wazuh-vulnerabilities?
At this point, you can compare the output of a working agent with a non-working one to see what data is expected.

This will help us determine if the issue is specific to agent 168 or affects all Windows agents.

Daniel

unread,

Apr 22, 2026, 9:19:15 AM (5 days ago) Apr 22

to Wazuh | Mailing List

Hi Gustavo,

Agent 168 appears in the file i shared earlier. Here one of the entries i was able to find:
1. 168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32212_3288457 ==> {"agent":{"id":"168","name":"REDACTED","type":"Wazuh","version":"v4.14.3"},"host":{"os":{"full":"Microsoft Windows Server 2019 Standard 10.0.17763.8511","kernel":"10.0.17763.8511","name":"Microsoft Windows Server 2019 Standard","platform":"windows","type":"windows","version":"10.0.17763.8511"}},"package":{"architecture":"x86_64","name":"Microsoft Windows Server 2019 Standard 10.0.17763.8511","type":"windows","version":"10.0.17763.8511"},"vulnerability":{"category":"OS","classification":"CVSS","description":"Improper link resolution before file access ('link following') in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.","detected_at":"2026-04-21T16:58:23.366Z","enumeration":"CVE","id":"CVE-2026-32212","published_at":"2026-04-14T18:17:27Z","reference":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32212","scanner":{"condition":"Package less than 10.0.17763.8644","reference":"https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32212","source":"National Vulnerability Database","vendor":"Wazuh"},"score":{"base":5.5,"version":"3.1"},"severity":"Medium","under_evaluation":false},"wazuh":{"cluster":{"name":"wazuh"},"schema":{"version":"1.0.0"}}}
Agent 017 doesn't exist, possibly an older agent that has been removed. However 261 exists and here's the data (here packages seem to be correctly identified as there CVEs for Notepad++)
All requests made to vulnerabilities have 200 as status code, so no errors there.

Regards,

Daniel D.

Gustavo Choquevilca

unread,

Apr 22, 2026, 2:38:56 PM (5 days ago) Apr 22

to Wazuh | Mailing List

Summary of everything we have researched so far to help clarify the situation:

- Syscollector is running correctly on the Windows agents and syncing data to the manager (packages, hotfixes, OS info).
- The vulnerability scanner on the manager is processing Windows agents and finding matches (confirmed via debug logs).
- The vulnerability data for Windows agents IS present in the internal RocksDB queue (confirmed in the output you shared), with recent timestamps (April 21).
- Vulnerability detection works correctly for Linux agents end-to-end.

Where the problem is
- The data is making it into the RocksDB queue but does not appear to be reaching the OpenSearch index for the affected Windows agents.
- Agent 168 has entries in RocksDB but shows no results in the dashboard.
- This points to an issue in the sync between the internal queue and the indexer.

Regarding the 200 status codes you mentioned
The fact that all requests return HTTP 200 means there are no connectivity or authentication errors, but it does not mean the data is actually present in the index. A 200 response can still return an empty result set if the data was never written there.

What we need to confirm next:

1. Please run the following command on the wazuh-indexer to check if agent 168 actually has data in the vulnerability index:

curl -k -u <USER>:<PASSWORD> "https://localhost:9200/wazuh-states-vulnerabilities*/_search?q=agent.id:168&pretty"

Pay special attention to the detected_at field in the results — this will tell us when the data was last written to the index. If the results are empty or the detected_at is very old, that confirms the data is not being synced from RocksDB to the indexer.

2. Could you also open the Vulnerability Inventory in the dashboard filtered by agent 168, open the browser developer tools (F12 in Chrome), go to the Network tab and look for requests to wazuh-states-vulnerabilities, and share a screenshot of the response body? This will show us exactly what the indexer is returning for that agent. You should see something similar to the screenshot attached below.

image (17).png

Daniel

unread,

Apr 23, 2026, 8:43:55 AM (4 days ago) Apr 23

to Wazuh | Mailing List

Hi Gustavo,

here's the info you requested:

Please run the following command on the wazuh-indexer to check if agent 168 actually has data in the vulnerability index:

1. {
  "took" : 2,
  "timed_out" : false,
  "_shards" : {
  "total" : 1,
  "successful" : 1,
  "skipped" : 0,
  "failed" : 0
  },
  "hits" : {
  "total" : {
  "value" : 31,
  "relation" : "eq"
  },
  "max_score" : 7.320924,
  "hits" : [
  {
  "_index" : "wazuh-states-vulnerabilities-wazuh",
  "_id" : "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32225_3288468",
  "_score" : 7.320924,
  "_source" : {

1. "agent" : {
  "id" : "168",
  "name" : "REDACTED",
  "type" : "Wazuh",
  "version" : "v4.14.3"
  },
  "host" : {
  "os" : {
  "full" : "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel" : "10.0.17763.8511",
  "name" : "Microsoft Windows Server 2019 Standard",
  "platform" : "windows",
  "type" : "windows",
  "version" : "10.0.17763.8511"
  }
  },
  "package" : {
  "architecture" : "x86_64",
  "name" : "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type" : "windows",
  "version" : "10.0.17763.8511"
  },
  "vulnerability" : {
  "category" : "OS",
  "classification" : "CVSS",

1. "description" : "Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network.",

1. "detected_at" : "2026-04-21T16:58:23.366Z",
  "enumeration" : "CVE",

1. "id" : "CVE-2026-32225",
  "published_at" : "2026-04-14T18:17:30Z",
  "reference" : "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32225",

1. "scanner" : {
  "condition" : "Package less than 10.0.17763.8644",

1. "reference" : "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32225",

1. "source" : "National Vulnerability Database",
  "vendor" : "Wazuh"
  },
  "score" : {

1. "base" : 8.8,
  "version" : "3.1"
  },
  "severity" : "High",

1. "under_evaluation" : false
  },
  "wazuh" : {
  "cluster" : {
  "name" : "wazuh"
  },
  "schema" : {
  "version" : "1.0.0"
  }
  }
  }

1. },
  {
  "_index" : "wazuh-states-vulnerabilities-wazuh",
  "_id" : "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-33098_3288492",
  "_score" : 7.320924,
  "_source" : {

1. "agent" : {
  "id" : "168",
  "name" : "REDACTED",
  "type" : "Wazuh",
  "version" : "v4.14.3"
  },
  "host" : {
  "os" : {
  "full" : "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel" : "10.0.17763.8511",
  "name" : "Microsoft Windows Server 2019 Standard",
  "platform" : "windows",
  "type" : "windows",
  "version" : "10.0.17763.8511"
  }
  },
  "package" : {
  "architecture" : "x86_64",
  "name" : "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type" : "windows",
  "version" : "10.0.17763.8511"
  },
  "vulnerability" : {
  "category" : "OS",
  "classification" : "CVSS",

1. "description" : "Use after free in Windows Container Isolation FS Filter Driver allows an authorized attacker to elevate privileges locally.",

1. "detected_at" : "2026-04-21T16:58:23.366Z",
  "enumeration" : "CVE",

1. "id" : "CVE-2026-33098",
  "published_at" : "2026-04-14T18:17:31Z",
  "reference" : "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33098",

1. "scanner" : {
  "condition" : "Package less than 10.0.17763.8644",

1. "reference" : "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-33098",

1. "source" : "National Vulnerability Database",
  "vendor" : "Wazuh"
  },
  "score" : {

1. "base" : 7.8,
  "version" : "3.1"
  },
  "severity" : "High",

1. "under_evaluation" : false
  },
  "wazuh" : {
  "cluster" : {
  "name" : "wazuh"
  },
  "schema" : {
  "version" : "1.0.0"
  }
  }
  }

1. },
  {
  "_index" : "wazuh-states-vulnerabilities-wazuh",
  "_id" : "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-33099_3288493",
  "_score" : 7.320924,
  "_source" : {

1. "agent" : {
  "id" : "168",
  "name" : "REDACTED",
  "type" : "Wazuh",
  "version" : "v4.14.3"
  },
  "host" : {
  "os" : {
  "full" : "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel" : "10.0.17763.8511",
  "name" : "Microsoft Windows Server 2019 Standard",
  "platform" : "windows",
  "type" : "windows",
  "version" : "10.0.17763.8511"
  }
  },
  "package" : {
  "architecture" : "x86_64",
  "name" : "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type" : "windows",
  "version" : "10.0.17763.8511"
  },
  "vulnerability" : {
  "category" : "OS",
  "classification" : "CVSS",

1. "description" : "Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.",

1. "detected_at" : "2026-04-21T16:58:23.366Z",
  "enumeration" : "CVE",

1. "id" : "CVE-2026-33099",
  "published_at" : "2026-04-14T18:17:32Z",
  "reference" : "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33099",

1. "scanner" : {
  "condition" : "Package less than 10.0.17763.8644",

1. "reference" : "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-33099",

1. "source" : "National Vulnerability Database",
  "vendor" : "Wazuh"
  },
  "score" : {

1. "base" : 7.0,
  "version" : "3.1"
  },
  "severity" : "High",

1. "under_evaluation" : false
  },
  "wazuh" : {
  "cluster" : {
  "name" : "wazuh"
  },
  "schema" : {
  "version" : "1.0.0"
  }
  }
  }

1. },
  {
  "_index" : "wazuh-states-vulnerabilities-wazuh",
  "_id" : "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-33100_3288494",
  "_score" : 7.320924,
  "_source" : {

1. "agent" : {
  "id" : "168",
  "name" : "REDACTED",
  "type" : "Wazuh",
  "version" : "v4.14.3"
  },
  "host" : {
  "os" : {
  "full" : "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel" : "10.0.17763.8511",
  "name" : "Microsoft Windows Server 2019 Standard",
  "platform" : "windows",
  "type" : "windows",
  "version" : "10.0.17763.8511"
  }
  },
  "package" : {
  "architecture" : "x86_64",
  "name" : "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type" : "windows",
  "version" : "10.0.17763.8511"
  },
  "vulnerability" : {
  "category" : "OS",
  "classification" : "CVSS",

1. "description" : "Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.",

1. "detected_at" : "2026-04-21T16:58:23.366Z",
  "enumeration" : "CVE",

1. "id" : "CVE-2026-33100",
  "published_at" : "2026-04-14T18:17:32Z",
  "reference" : "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33100",

1. "scanner" : {
  "condition" : "Package less than 10.0.17763.8644",

1. "reference" : "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-33100",

1. "source" : "National Vulnerability Database",
  "vendor" : "Wazuh"
  },
  "score" : {

1. "base" : 7.0,
  "version" : "3.1"
  },
  "severity" : "High",

1. "under_evaluation" : false
  },
  "wazuh" : {
  "cluster" : {
  "name" : "wazuh"
  },
  "schema" : {
  "version" : "1.0.0"
  }
  }
  }

1. },
  {
  "_index" : "wazuh-states-vulnerabilities-wazuh",
  "_id" : "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-33104_3288496",
  "_score" : 7.320924,
  "_source" : {

1. "agent" : {
  "id" : "168",
  "name" : "REDACTED",
  "type" : "Wazuh",
  "version" : "v4.14.3"
  },
  "host" : {
  "os" : {
  "full" : "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel" : "10.0.17763.8511",
  "name" : "Microsoft Windows Server 2019 Standard",
  "platform" : "windows",
  "type" : "windows",
  "version" : "10.0.17763.8511"
  }
  },
  "package" : {
  "architecture" : "x86_64",
  "name" : "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type" : "windows",
  "version" : "10.0.17763.8511"
  },
  "vulnerability" : {
  "category" : "OS",
  "classification" : "CVSS",

1. "description" : "Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.",

1. "detected_at" : "2026-04-21T16:58:23.366Z",
  "enumeration" : "CVE",

1. "id" : "CVE-2026-33104",
  "published_at" : "2026-04-14T18:17:33Z",
  "reference" : "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33104",

1. "scanner" : {
  "condition" : "Package less than 10.0.17763.8644",

1. "reference" : "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-33104",

1. "source" : "National Vulnerability Database",
  "vendor" : "Wazuh"
  },
  "score" : {

1. "base" : 7.0,
  "version" : "3.1"
  },
  "severity" : "High",

1. "under_evaluation" : false
  },
  "wazuh" : {
  "cluster" : {
  "name" : "wazuh"
  },
  "schema" : {
  "version" : "1.0.0"
  }
  }
  }

1. },
  {
  "_index" : "wazuh-states-vulnerabilities-wazuh",
  "_id" : "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-33824_3288520",
  "_score" : 7.320924,
  "_source" : {

1. "agent" : {
  "id" : "168",
  "name" : "REDACTED",
  "type" : "Wazuh",
  "version" : "v4.14.3"
  },
  "host" : {
  "os" : {
  "full" : "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel" : "10.0.17763.8511",
  "name" : "Microsoft Windows Server 2019 Standard",
  "platform" : "windows",
  "type" : "windows",
  "version" : "10.0.17763.8511"
  }
  },
  "package" : {
  "architecture" : "x86_64",
  "name" : "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type" : "windows",
  "version" : "10.0.17763.8511"
  },
  "vulnerability" : {
  "category" : "OS",
  "classification" : "CVSS",

1. "description" : "Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.",

1. "detected_at" : "2026-04-21T16:58:23.366Z",
  "enumeration" : "CVE",

1. "id" : "CVE-2026-33824",
  "published_at" : "2026-04-14T18:17:34Z",
  "reference" : "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33824",

1. "scanner" : {
  "condition" : "Package less than 10.0.17763.8644",

1. "reference" : "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-33824",

1. "source" : "National Vulnerability Database",
  "vendor" : "Wazuh"
  },
  "score" : {

1. "base" : 9.8,
  "version" : "3.1"
  },
  "severity" : "Critical",

1. "under_evaluation" : false
  },
  "wazuh" : {
  "cluster" : {
  "name" : "wazuh"
  },
  "schema" : {
  "version" : "1.0.0"
  }
  }
  }

1. },
  {
  "_index" : "wazuh-states-vulnerabilities-wazuh",
  "_id" : "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-33826_3288522",
  "_score" : 7.320924,
  "_source" : {

1. "agent" : {
  "id" : "168",
  "name" : "REDACTED",
  "type" : "Wazuh",
  "version" : "v4.14.3"
  },
  "host" : {
  "os" : {
  "full" : "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel" : "10.0.17763.8511",
  "name" : "Microsoft Windows Server 2019 Standard",
  "platform" : "windows",
  "type" : "windows",
  "version" : "10.0.17763.8511"
  }
  },
  "package" : {
  "architecture" : "x86_64",
  "name" : "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type" : "windows",
  "version" : "10.0.17763.8511"
  },
  "vulnerability" : {
  "category" : "OS",
  "classification" : "CVSS",

1. "description" : "Improper input validation in Windows Active Directory allows an authorized attacker to execute code over an adjacent network.",

1. "detected_at" : "2026-04-21T16:58:23.366Z",
  "enumeration" : "CVE",

1. "id" : "CVE-2026-33826",
  "published_at" : "2026-04-14T18:17:35Z",
  "reference" : "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33826",

1. "scanner" : {
  "condition" : "Package less than 10.0.17763.8644",

1. "reference" : "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-33826",

1. "source" : "National Vulnerability Database",
  "vendor" : "Wazuh"
  },
  "score" : {

1. "base" : 8.0,
  "version" : "3.1"
  },
  "severity" : "High",

1. "under_evaluation" : false
  },
  "wazuh" : {
  "cluster" : {
  "name" : "wazuh"
  },
  "schema" : {
  "version" : "1.0.0"
  }
  }
  }

1. },
  {
  "_index" : "wazuh-states-vulnerabilities-wazuh",
  "_id" : "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-33827_3288523",
  "_score" : 7.320924,
  "_source" : {

1. "agent" : {
  "id" : "168",
  "name" : "REDACTED",
  "type" : "Wazuh",
  "version" : "v4.14.3"
  },
  "host" : {
  "os" : {
  "full" : "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel" : "10.0.17763.8511",
  "name" : "Microsoft Windows Server 2019 Standard",
  "platform" : "windows",
  "type" : "windows",
  "version" : "10.0.17763.8511"
  }
  },
  "package" : {
  "architecture" : "x86_64",
  "name" : "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type" : "windows",
  "version" : "10.0.17763.8511"
  },
  "vulnerability" : {
  "category" : "OS",
  "classification" : "CVSS",

1. "description" : "Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an unauthorized attacker to execute code over a network.",

1. "detected_at" : "2026-04-21T16:58:23.366Z",
  "enumeration" : "CVE",

1. "id" : "CVE-2026-33827",
  "published_at" : "2026-04-14T18:17:35Z",
  "reference" : "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33827",

1. "scanner" : {
  "condition" : "Package less than 10.0.17763.8644",

1. "reference" : "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-33827",

1. "source" : "National Vulnerability Database",
  "vendor" : "Wazuh"
  },
  "score" : {

1. "base" : 8.1,
  "version" : "3.1"
  },
  "severity" : "High",

1. "under_evaluation" : false
  },
  "wazuh" : {
  "cluster" : {
  "name" : "wazuh"
  },
  "schema" : {
  "version" : "1.0.0"
  }
  }
  }

1. },
  {
  "_index" : "wazuh-states-vulnerabilities-wazuh",
  "_id" : "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32214_3288458",
  "_score" : 7.320924,
  "_source" : {

1. "agent" : {
  "id" : "168",
  "name" : "REDACTED",
  "type" : "Wazuh",
  "version" : "v4.14.3"
  },
  "host" : {
  "os" : {
  "full" : "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel" : "10.0.17763.8511",
  "name" : "Microsoft Windows Server 2019 Standard",
  "platform" : "windows",
  "type" : "windows",
  "version" : "10.0.17763.8511"
  }
  },
  "package" : {
  "architecture" : "x86_64",
  "name" : "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type" : "windows",
  "version" : "10.0.17763.8511"
  },
  "vulnerability" : {
  "category" : "OS",
  "classification" : "CVSS",

1. "description" : "Improper access control in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.",
  "detected_at" : "2026-04-21T16:57:57.146Z",
  "enumeration" : "CVE",
  "id" : "CVE-2026-32214",
  "published_at" : "2026-04-14T18:17:28Z",
  "reference" : "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32214",

1. "scanner" : {
  "condition" : "Package less than 10.0.17763.8644",

1. "reference" : "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32214",

1. "source" : "National Vulnerability Database",
  "vendor" : "Wazuh"
  },
  "score" : {
  "base" : 5.5,
  "version" : "3.1"
  },
  "severity" : "Medium",
  "under_evaluation" : false
  },
  "wazuh" : {
  "cluster" : {
  "name" : "wazuh"
  },
  "schema" : {
  "version" : "1.0.0"
  }
  }
  }

1. },
  {
  "_index" : "wazuh-states-vulnerabilities-wazuh",
  "_id" : "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32202_3288456",
  "_score" : 7.320924,
  "_source" : {

1. "agent" : {
  "id" : "168",
  "name" : "REDACTED",
  "type" : "Wazuh",
  "version" : "v4.14.3"
  },
  "host" : {
  "os" : {
  "full" : "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel" : "10.0.17763.8511",
  "name" : "Microsoft Windows Server 2019 Standard",
  "platform" : "windows",
  "type" : "windows",
  "version" : "10.0.17763.8511"
  }
  },
  "package" : {
  "architecture" : "x86_64",
  "name" : "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type" : "windows",
  "version" : "10.0.17763.8511"
  },
  "vulnerability" : {
  "category" : "OS",
  "classification" : "CVSS",

1. "description" : "Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network.",
  "detected_at" : "2026-04-21T16:57:57.147Z",
  "enumeration" : "CVE",
  "id" : "CVE-2026-32202",

1. "published_at" : "2026-04-14T18:17:27Z",

1. "reference" : "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32202",

1. "scanner" : {
  "condition" : "Package less than 10.0.17763.8644",

1. "reference" : "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32202",

1. "source" : "National Vulnerability Database",
  "vendor" : "Wazuh"
  },
  "score" : {

1. "base" : 4.3,

1. "version" : "3.1"
  },
  "severity" : "Medium",
  "under_evaluation" : false
  },
  "wazuh" : {
  "cluster" : {
  "name" : "wazuh"
  },
  "schema" : {
  "version" : "1.0.0"
  }
  }
  }
  }

1. ]
  }
  }
This is the response of the opensearch request in the DevTools tab of Chrome:
1. {
  "isPartial": false,
  "isRunning": false,
  "rawResponse": {
  "took": 5,
  "timed_out": false,
  "_shards": {
  "total": 1,
  "successful": 1,
  "skipped": 0,
  "failed": 0
  },
  "hits": {
  "total": 31,
  "max_score": 0,
  "hits": [
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32225_3288468",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network.",

1. "detected_at": "2026-04-21T16:58:23.366Z",
  "enumeration": "CVE",

1. "id": "CVE-2026-32225",
  "published_at": "2026-04-14T18:17:30Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32225",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32225",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 8.8,
  "version": "3.1"
  },
  "severity": "High",

1. "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-21T16:58:23.366Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:30.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-33098_3288492",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Use after free in Windows Container Isolation FS Filter Driver allows an authorized attacker to elevate privileges locally.",

1. "detected_at": "2026-04-21T16:58:23.366Z",
  "enumeration": "CVE",

1. "id": "CVE-2026-33098",
  "published_at": "2026-04-14T18:17:31Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33098",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-33098",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 7.8,
  "version": "3.1"
  },
  "severity": "High",

1. "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-21T16:58:23.366Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:31.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-33099_3288493",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.",

1. "detected_at": "2026-04-21T16:58:23.366Z",
  "enumeration": "CVE",

1. "id": "CVE-2026-33099",
  "published_at": "2026-04-14T18:17:32Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33099",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-33099",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 7,
  "version": "3.1"
  },
  "severity": "High",

1. "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-21T16:58:23.366Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:32.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-33100_3288494",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.",

1. "detected_at": "2026-04-21T16:58:23.366Z",
  "enumeration": "CVE",

1. "id": "CVE-2026-33100",
  "published_at": "2026-04-14T18:17:32Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33100",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-33100",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 7,
  "version": "3.1"
  },
  "severity": "High",

1. "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-21T16:58:23.366Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:32.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-33104_3288496",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.",

1. "detected_at": "2026-04-21T16:58:23.366Z",
  "enumeration": "CVE",

1. "id": "CVE-2026-33104",
  "published_at": "2026-04-14T18:17:33Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33104",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-33104",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 7,
  "version": "3.1"
  },
  "severity": "High",

1. "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-21T16:58:23.366Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:33.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-33824_3288520",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.",

1. "detected_at": "2026-04-21T16:58:23.366Z",
  "enumeration": "CVE",

1. "id": "CVE-2026-33824",
  "published_at": "2026-04-14T18:17:34Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33824",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-33824",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 9.8,
  "version": "3.1"
  },
  "severity": "Critical",

1. "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-21T16:58:23.366Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:34.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-33826_3288522",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Improper input validation in Windows Active Directory allows an authorized attacker to execute code over an adjacent network.",

1. "detected_at": "2026-04-21T16:58:23.366Z",
  "enumeration": "CVE",

1. "id": "CVE-2026-33826",
  "published_at": "2026-04-14T18:17:35Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33826",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-33826",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 8,
  "version": "3.1"
  },
  "severity": "High",

1. "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-21T16:58:23.366Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:35.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-33827_3288523",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an unauthorized attacker to execute code over a network.",

1. "detected_at": "2026-04-21T16:58:23.366Z",
  "enumeration": "CVE",

1. "id": "CVE-2026-33827",
  "published_at": "2026-04-14T18:17:35Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33827",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-33827",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 8.1,
  "version": "3.1"
  },
  "severity": "High",

1. "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-21T16:58:23.366Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:35.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32214_3288458",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Improper access control in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.",
  "detected_at": "2026-04-21T16:57:57.146Z",
  "enumeration": "CVE",
  "id": "CVE-2026-32214",
  "published_at": "2026-04-14T18:17:28Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32214",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32214",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {
  "base": 5.5,
  "version": "3.1"
  },
  "severity": "Medium",
  "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-21T16:57:57.146Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:28.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32202_3288456",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network.",
  "detected_at": "2026-04-21T16:57:57.147Z",
  "enumeration": "CVE",
  "id": "CVE-2026-32202",

1. "published_at": "2026-04-14T18:17:27Z",

1. "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32202",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32202",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 4.3,

1. "version": "3.1"
  },
  "severity": "Medium",
  "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-21T16:57:57.147Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:27.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32215_3288459",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally.",
  "detected_at": "2026-04-21T16:57:57.147Z",
  "enumeration": "CVE",
  "id": "CVE-2026-32215",
  "published_at": "2026-04-14T18:17:28Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32215",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32215",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {
  "base": 5.5,
  "version": "3.1"
  },
  "severity": "Medium",
  "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-21T16:57:57.147Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:28.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32165_3288452",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Use after free in Windows User Interface Core allows an authorized attacker to elevate privileges locally.",
  "detected_at": "2026-04-21T16:57:57.147Z",
  "enumeration": "CVE",
  "id": "CVE-2026-32165",
  "published_at": "2026-04-14T18:17:19Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32165",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32165",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 7.8,
  "version": "3.1"
  },
  "severity": "High",

1. "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-21T16:57:57.147Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:19.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32164_3288451",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Concurrent execution using shared resource with improper synchronization ('race condition') in Windows User Interface Core allows an authorized attacker to elevate privileges locally.",
  "detected_at": "2026-04-21T16:57:57.147Z",
  "enumeration": "CVE",
  "id": "CVE-2026-32164",
  "published_at": "2026-04-14T18:17:18Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32164",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32164",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 7.8,
  "version": "3.1"
  },
  "severity": "High",

1. "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-21T16:57:57.147Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:18.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32183_3288454",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Improper neutralization of special elements used in a command ('command injection') in Windows Snipping Tool allows an unauthorized attacker to execute code locally.",
  "detected_at": "2026-04-21T16:57:57.147Z",
  "enumeration": "CVE",
  "id": "CVE-2026-32183",
  "published_at": "2026-04-14T18:17:20Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32183",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32183",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 7.8,
  "version": "3.1"
  },
  "severity": "High",

1. "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-21T16:57:57.147Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:20.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32212_3288457",
  "_score": 0,
  "_source": {

1. "detected_at": "2026-04-21T16:57:57.147Z",

1. "enumeration": "CVE",
  "id": "CVE-2026-32212",
  "published_at": "2026-04-14T18:17:27Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32212",
  "scanner": {
  "condition": "Package less than 10.0.17763.8644",
  "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32212",
  "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {
  "base": 5.5,
  "version": "3.1"
  },
  "severity": "Medium",
  "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-21T16:57:57.147Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:27.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32162_3288449",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Acceptance of extraneous untrusted data with trusted data in Windows COM allows an unauthorized attacker to elevate privileges locally.",
  "detected_at": "2026-04-21T16:57:57.147Z",
  "enumeration": "CVE",
  "id": "CVE-2026-32162",
  "published_at": "2026-04-14T18:17:18Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32162",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32162",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 8.4,
  "version": "3.1"
  },
  "severity": "High",

1. "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-21T16:57:57.147Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:18.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32163_3288450",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Concurrent execution using shared resource with improper synchronization ('race condition') in Windows User Interface Core allows an authorized attacker to elevate privileges locally.",
  "detected_at": "2026-04-21T16:57:57.147Z",
  "enumeration": "CVE",
  "id": "CVE-2026-32163",
  "published_at": "2026-04-14T18:17:18Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32163",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32163",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 7.8,
  "version": "3.1"
  },
  "severity": "High",

1. "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-21T16:57:57.147Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:18.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32217_3288461",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally.",
  "detected_at": "2026-04-21T16:57:57.147Z",
  "enumeration": "CVE",
  "id": "CVE-2026-32217",
  "published_at": "2026-04-14T18:17:29Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32217",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32217",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {
  "base": 5.5,
  "version": "3.1"
  },
  "severity": "Medium",
  "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-21T16:57:57.147Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:29.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32087_3289422",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Heap-based buffer overflow in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally.",
  "detected_at": "2026-04-22T16:35:43.633Z",
  "enumeration": "CVE",
  "id": "CVE-2026-32087",
  "published_at": "2026-04-14T18:17:12Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32087",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32087",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 7,
  "version": "3.1"
  },
  "severity": "High",

1. "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-22T16:35:43.633Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:12.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32088_3289423",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Biometric Service allows an unauthorized attacker to bypass a security feature with a physical attack.",
  "detected_at": "2026-04-22T16:35:43.633Z",
  "enumeration": "CVE",
  "id": "CVE-2026-32088",
  "published_at": "2026-04-14T18:17:13Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32088",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32088",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 5.7,

1. "version": "3.1"
  },
  "severity": "Medium",
  "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-22T16:35:43.633Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:13.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32089_3289424",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Use after free in Windows Speech Brokered Api allows an authorized attacker to elevate privileges locally.",
  "detected_at": "2026-04-22T16:35:43.633Z",
  "enumeration": "CVE",
  "id": "CVE-2026-32089",
  "published_at": "2026-04-14T18:17:13Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32089",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32089",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 7.8,
  "version": "3.1"
  },
  "severity": "High",

1. "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-22T16:35:43.633Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:13.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32090_3289425",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Speech Brokered Api allows an authorized attacker to elevate privileges locally.",
  "detected_at": "2026-04-22T16:35:43.633Z",
  "enumeration": "CVE",
  "id": "CVE-2026-32090",
  "published_at": "2026-04-14T18:17:13Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32090",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32090",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 7,
  "version": "3.1"
  },
  "severity": "High",

1. "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-22T16:35:43.633Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:13.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32091_3289426",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Brokering File System allows an unauthorized attacker to elevate privileges locally.",
  "detected_at": "2026-04-22T16:35:43.633Z",
  "enumeration": "CVE",
  "id": "CVE-2026-32091",
  "published_at": "2026-04-14T18:17:14Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32091",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32091",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 7,
  "version": "3.1"
  },
  "severity": "High",

1. "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-22T16:35:43.633Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:14.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32093_3289427",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Concurrent execution using shared resource with improper synchronization ('race condition') in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally.",
  "detected_at": "2026-04-22T16:35:43.633Z",
  "enumeration": "CVE",
  "id": "CVE-2026-32093",
  "published_at": "2026-04-14T18:17:14Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32093",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32093",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 7,
  "version": "3.1"
  },
  "severity": "High",

1. "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-22T16:35:43.633Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:14.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32149_3289428",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Improper input validation in Windows Hyper-V allows an authorized attacker to execute code locally.",
  "detected_at": "2026-04-22T16:35:43.633Z",
  "enumeration": "CVE",
  "id": "CVE-2026-32149",
  "published_at": "2026-04-14T18:17:14Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32149",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32149",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 7.3,
  "version": "3.1"
  },
  "severity": "High",

1. "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-22T16:35:43.633Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:14.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32150_3289429",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Concurrent execution using shared resource with improper synchronization ('race condition') in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally.",
  "detected_at": "2026-04-22T16:35:43.633Z",
  "enumeration": "CVE",
  "id": "CVE-2026-32150",
  "published_at": "2026-04-14T18:17:15Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32150",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32150",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 7,
  "version": "3.1"
  },
  "severity": "High",

1. "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-22T16:35:43.633Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:15.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32151_3289430",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to disclose information over a network.",
  "detected_at": "2026-04-22T16:35:43.633Z",
  "enumeration": "CVE",
  "id": "CVE-2026-32151",
  "published_at": "2026-04-14T18:17:15Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32151",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32151",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 6.5,

1. "version": "3.1"
  },
  "severity": "Medium",
  "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-22T16:35:43.633Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:15.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32158_3289432",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.",
  "detected_at": "2026-04-22T16:35:43.633Z",
  "enumeration": "CVE",
  "id": "CVE-2026-32158",
  "published_at": "2026-04-14T18:17:17Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32158",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32158",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 7.8,
  "version": "3.1"
  },
  "severity": "High",

1. "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-22T16:35:43.633Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:17.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32159_3289433",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.",
  "detected_at": "2026-04-22T16:35:43.633Z",
  "enumeration": "CVE",
  "id": "CVE-2026-32159",
  "published_at": "2026-04-14T18:17:17Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32159",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32159",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 7.8,
  "version": "3.1"
  },
  "severity": "High",

1. "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-22T16:35:43.633Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:17.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-32160_3289434",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.",
  "detected_at": "2026-04-22T16:35:43.633Z",
  "enumeration": "CVE",
  "id": "CVE-2026-32160",
  "published_at": "2026-04-14T18:17:17Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32160",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-32160",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 7.8,
  "version": "3.1"
  },
  "severity": "High",

1. "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-22T16:35:43.633Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:17.000Z"
  ]
  }
  },
  {
  "_index": "wazuh-states-vulnerabilities-wazuh",
  "_id": "168_Microsoft Windows Server 2019 Standard_10.0.17763.8511_CVE-2026-33829_3289461",
  "_score": 0,
  "_source": {

1. "agent": {
  "id": "168",
  "name": "REDACTED",
  "type": "Wazuh",
  "version": "v4.14.3"
  },
  "host": {
  "os": {
  "full": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "kernel": "10.0.17763.8511",
  "name": "Microsoft Windows Server 2019 Standard",
  "platform": "windows",
  "type": "windows",
  "version": "10.0.17763.8511"
  }
  },
  "package": {
  "architecture": "x86_64",
  "name": "Microsoft Windows Server 2019 Standard 10.0.17763.8511",
  "type": "windows",
  "version": "10.0.17763.8511"
  },
  "vulnerability": {
  "category": "OS",
  "classification": "CVSS",

1. "description": "Exposure of sensitive information to an unauthorized actor in Windows Snipping Tool allows an unauthorized attacker to perform spoofing over a network.",
  "detected_at": "2026-04-22T16:35:43.633Z",
  "enumeration": "CVE",
  "id": "CVE-2026-33829",
  "published_at": "2026-04-14T18:17:35Z",
  "reference": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33829, https://github.com/blackarrowsec/redteam-research/tree/master/CVE-2026-33829",

1. "scanner": {
  "condition": "Package less than 10.0.17763.8644",

1. "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2026-33829",

1. "source": "National Vulnerability Database",
  "vendor": "Wazuh"
  },
  "score": {

1. "base": 4.3,

1. "version": "3.1"
  },
  "severity": "Medium",
  "under_evaluation": false
  },
  "wazuh": {
  "cluster": {
  "name": "wazuh"
  },
  "schema": {
  "version": "1.0.0"
  }
  }

1. },
  "fields": {
  "vulnerability.detected_at": [
  "2026-04-22T16:35:43.633Z"
  ],
  "vulnerability.published_at": [
  "2026-04-14T18:17:35.000Z"
  ]
  }
  }
  ]
  }
  },
  "total": 1,
  "loaded": 1
  }

Gustavo Choquevilca

unread,

Apr 23, 2026, 9:49:37 AM (4 days ago) Apr 23

to Wazuh | Mailing List

Hello Daniel,

Good news, we checked the wazuh-indexer index directly and the vulnerability data for agent 168 is actually there, 31 entries with recent timestamps (April 21, 2026). So the pipeline is working fine end-to-end.

This means the issue is on the dashboard side, not the data. A few things worth trying:

1. Remove all active filters in the Vulnerability Inventory (Evaluated, Under evaluation, etc.) and see if anything shows up.
2. Clear your browser cache and try again, or open the dashboard in a private/incognito window.
3. If that doesn't help, try restarting the Wazuh dashboard service.

Also, I previously asked about checking the browser developer tools (F12) to capture the network requests to wazuh-states-vulnerabilities — could you share a screenshot or copy the response body from that request? Any output you see in that panel is helpful, whether it's a screenshot, a log, or just the raw response. That will help us see exactly what the dashboard is querying and what it's getting back.

Reply all

Reply to author

Forward

0 new messages