Windows OS vulnerabilities removed from state without emitting `Solved` alerts when OS version key changes after KB installation

15 views
Skip to first unread message

Daniel

unread,
Jul 2, 2026, 5:06:00 PM (9 hours ago) Jul 2
to Wazuh | Mailing List
We are seeing a case where Windows OS vulnerabilities are correctly removed from the current vulnerability state after patching, but no `Solved` vulnerability events are emitted. As a result, the Wazuh dashboard Events tab still shows historical `Active` events and no corresponding `Solved` events for some agents. Environment: - Wazuh manager: `4.14.4-1` - `wazuh-control`: `VERSION="v4.14.4"`, `REVISION="rc2"` - Wazuh indexer/dashboard: `4.14.4-1` - Windows agents: `v4.14.3` - Affected OS: Microsoft Windows Server 2019 Standard - Vulnerability detection enabled with `index-status` enabled - Single manager, single indexer/dashboard deployment Scenario: A Windows Server 2019 agent was patched with cumulative update `KB5094123`, moving the OS build from: - vulnerable: `10.0.17763.8755` - fixed: `10.0.17763.8880` After patching: - `wazuh-states-inventory-system-*` correctly shows `10.0.17763.8880` - `wazuh-states-inventory-hotfixes-*` correctly shows `KB5094123` - `wazuh-states-vulnerabilities-*` no longer contains the OS CVEs - however, `wazuh-alerts-*` contains only old `Active` events and no `Solved` events This was confirmed not to be a dashboard/indexer/Filebeat issue, because the manager local alert files under `/var/ossec/logs/alerts/` also do not contain any `Solved` events for the affected agent. Relevant sanitized timeline from manager debug logs: ```text 2026/06/25 02:55:30 vulnerability-scanner: Match found, OS windows_server_2019 is vulnerable. Current version: 10.0.17763.8755, required threshold: 10.0.17763.8880. Agent: [REDACTED_AGENT_A] 2026/06/25 03:56:02 logger-helper: Upsert hotfix inventory document: id: [REDACTED_AGENT_A]_KB5094123 2026/06/25 03:57:00 logger-helper: Upsert system inventory document: id: [REDACTED_AGENT_A]_Microsoft Windows Server 2019 Standard host.os.version: 10.0.17763.8880 2026/06/25 04:00:06 vulnerability-scanner scanInventorySync.hpp:80: Deleting agent element key: [REDACTED_AGENT_A]_Microsoft Windows Server 2019 Standard_10.0.17763.8755 2026/06/25 04:00:12 indexer-connector: Added document for deletion with id: [REDACTED_AGENT_A]_Microsoft Windows Server 2019 Standard_10.0.17763.8755_CVE-2026-...

For comparison, on another agent where Solved events were generated correctly, the logs show the normal inventory-diff path:

2026/06/25 10:16:13 osScanner.hpp:354: Remediation for OS windows_server_2019 on Agent [REDACTED_AGENT_B] has been found. CVE: CVE-2026-..., Remediation: KB5094123 2026/06/25 10:16:13 scanInventorySync.hpp:143: Removing element from inventory: [REDACTED_AGENT_B]_Microsoft Windows Server 2019 Standard_10.0.17763.8755_CVE-2026-... 2026/06/25 10:16:13 scanInventorySync.hpp:190: Deleting agent element key: [REDACTED_AGENT_B]_Microsoft Windows Server 2019 Standard_10.0.17763.8755

That second path generated Solved events with rule 23502.

Observed behavior:

  • Affected agents: old Active OS CVE alerts remain in wazuh-alerts-*, no Solved alerts are emitted.
  • Current vulnerability state is clean for those OS CVEs.
  • Other agents patched with the same KB do generate Solved events.

Expected behavior:
When Wazuh removes OS vulnerability state because the OS version changed from a vulnerable build to a fixed build, it should emit Solved vulnerability events, the same way it does when CVEs are removed through the normal hotfix/remediation inventory diff path.

Hypothesis:
For Windows OS vulnerabilities, the inventory key includes the OS version:

agentID_OSNAME_OSVERSION

When the OS inventory changes quickly from 10.0.17763.8755 to 10.0.17763.8880 after KB5094123, Wazuh enters the cleanup path in scanInventorySync.hpp:80 for the stale OS-version key. That path deletes the previous vulnerability-state documents but does not appear to emit the corresponding Solved reports.

Relevant code paths:

  • scanInventorySync.hpp:73-95: cleanup when OS key changes
  • scanInventorySync.hpp:128-143: normal CVE removal from inventory
  • scanInventorySync.hpp:185-192: normal inventory delete after diff
  • osScanner.hpp:320-373: Windows hotfix remediation filtering

Question:
Is this expected behavior, or should the OS-version-key cleanup path also emit Solved vulnerability events for the CVEs removed from the previous OS version key?

Javier Adán Méndez Méndez

unread,
Jul 2, 2026, 8:57:07 PM (5 hours ago) Jul 2
to Wazuh | Mailing List
Hi Daniel


You're right that there seem to be two different code paths here: the normal remediation/inventory-diff path (which emits Solved events with rule 23502), and the OS-version-key cleanup path in scanInventorySync.hpp, which in your case removed the vulnerability state documents without emitting the corresponding Solved events.

I can't confirm at this point whether this is expected behavior or a bug, so I've escalated your question to the corresponding team for review. As soon as I have an answer, I'll get back to you in this thread.

In the meantime, if you can share your manager's ossec.conf vulnerability detection block and confirm whether this reproduces consistently on the affected agents, that would help the team's analysis.


Javier Mendez

Reply all
Reply to author
Forward
0 new messages