Subject: Inquiry Regarding Filebeat 7.10.2 Vulnerability (CVE-2025-68381/68382/68383) in Wazuh 4.12 and Fix Status in Latest Releases

[流苏]

Dear Wazuh Support Team,

I hope this message finds you well.

I am currently running Wazuh version 4.12, which includes Filebeat 7.10.2 as part of the agent deployment. Recently, our vulnerability scanning tool flagged this Filebeat version as affected by the following security advisories:

• CVE-2025-68381
• CVE-2025-68382
• CVE-2025-68383

These vulnerabilities relate to buffer overflow issues in Beats components (including Filebeat and Packetbeat) that could lead to denial-of-service conditions.

I would like to kindly ask for your clarification on the following points:

1. 1.Has this issue been addressed in the latest Wazuh releases (e.g., 4.13 or 4.14)?
   Specifically, does Wazuh 4.14.x ship with a patched version of Filebeat (such as 8.19.9 or 9.2.3+) that resolves these CVEs?
2. 2.If the vulnerability is not yet fully mitigated in the current stable release, is there an official plan or timeline to upgrade the bundled Filebeat component to a secure version?
3. 3.For users still on Wazuh 4.12, is it safe or supported to manually replace the bundled Filebeat binary with a newer, patched version from Elastic?

We are evaluating whether an immediate upgrade is necessary and would greatly appreciate your guidance to ensure our environment remains secure and compliant.

Thank you very much for your time and support.

Best regards,
Sihan Li

[Md. Nazmur Sakib]

Hi Sihan,

Wazuh manager uses Filebeat to process and forward the logs from the Wazuh Manager to the Wazuh indexer. The agents on the endpoints do not use Filebeat, so I am confused about this part you have mentioned, "  Wazuh includes Filebeat 7.10.2 as part of the agent deployment."

Filebeat 7.10.2 has two versions: OSS and Elastic License.

Wazuh uses Filebeat-OSS 7.10.2. for 4.12.0.
https://documentation.wazuh.com/4.12/upgrade-guide/index.html#:~:text=Wazuh%20indexer%204.12.0%20is%20specifically%20compatible%20with%20Filebeat%2DOSS%207.10.2.

Based on my findings CVE-2025-68381 and CVE-2025-68382 are related to pckaetbeat not filebeat.

https://discuss.elastic.co/t/packetbeat-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-30/384178
https://discuss.elastic.co/t/packetbeat-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-31/384179


I can see that Filebeat 7.10.2 is vulnerable to CVE-2025-68383, but I could not find any official reference to the Filebeat 7.10.2 OSS build.
https://discuss.elastic.co/t/filebeat-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-32/384180
Wazuh indexer is based on OpenSearch witch uses Filebeat version OSS 7.10.2; upgrading or changing to another version will not work in this case.
I would also let you know that. Starting from 5.0, we are moving towards using Wazuh manager to directly forward logs to the indexer, as you can already see for the Vulnerability and IT Hygiene indices. So Filebeat won’t be needed anymore.
The development is already done and tested.
https://github.com/wazuh/wazuh/issues/32670


Let me know if you need any further information.