For comparison, on another agent where Solved events were generated correctly, the logs show the normal inventory-diff path:
2026/06/25 10:16:13 osScanner.hpp:354: Remediation for OS windows_server_2019 on Agent [REDACTED_AGENT_B] has been found. CVE: CVE-2026-..., Remediation: KB5094123 2026/06/25 10:16:13 scanInventorySync.hpp:143: Removing element from inventory: [REDACTED_AGENT_B]_Microsoft Windows Server 2019 Standard_10.0.17763.8755_CVE-2026-... 2026/06/25 10:16:13 scanInventorySync.hpp:190: Deleting agent element key: [REDACTED_AGENT_B]_Microsoft Windows Server 2019 Standard_10.0.17763.8755That second path generated Solved events with rule 23502.
Observed behavior:
Expected behavior:
When Wazuh removes OS vulnerability state because the OS version changed from a vulnerable build to a fixed build, it should emit Solved vulnerability events, the same way it does when CVEs are removed through the normal hotfix/remediation inventory diff path.
Hypothesis:
For Windows OS vulnerabilities, the inventory key includes the OS version:
When the OS inventory changes quickly from 10.0.17763.8755 to 10.0.17763.8880 after KB5094123, Wazuh enters the cleanup path in scanInventorySync.hpp:80 for the stale OS-version key. That path deletes the previous vulnerability-state documents but does not appear to emit the corresponding Solved reports.
Relevant code paths:
Question:
Is this expected behavior, or should the OS-version-key cleanup path also emit Solved vulnerability events for the CVEs removed from the previous OS version key?
You're right that there seem to be two different code paths here: the normal remediation/inventory-diff path (which emits Solved events with rule 23502), and the OS-version-key cleanup path in scanInventorySync.hpp, which in your case removed the vulnerability state documents without emitting the corresponding Solved events.
I can't confirm at this point whether this is expected behavior or a bug, so I've escalated your question to the corresponding team for review. As soon as I have an answer, I'll get back to you in this thread.
In the meantime, if you can share your manager's ossec.conf vulnerability detection block and confirm whether this reproduces consistently on the affected agents, that would help the team's analysis.
Javier Mendez