CVE should be fixed but not showing in wazuh

[exe]

Hello,

we have many Adobe Acrobat CVE's and updated the Application yesterday but the CVE's still persist in the dashboard. 

How can we fix this so it is updated?

Thank you!

[Bony V John]

Hi,

Please allow me some time, I'm working on this and will get back to you with an update as soon as possible.

[Bony V John]

Hi,

Even after updating the Adobe Acrobat package to a newer version, if that version itself contains known vulnerabilities, it will still appear as vulnerable on the dashboard.

To verify whether this is a false positive, first confirm that the installed package version matches the one reported by Wazuh.

On the endpoint, check the currently installed version of the package that is showing the vulnerability.

Then, on the Wazuh dashboard:

• Click the hamburger menu (top left)
• Go to Server Management > Dev Tools
• Run the following command:

GET /syscollector/<agent_id>/packages?name=<package_name>

Replace <agent_id> and <package_name> with the relevant values.

Confirm that the version shown in the output matches the version installed on the endpoint.

If the versions match, please share the vulnerability details from the Inventory section for further analysis:

• Go to Vulnerability Detection > Inventory
• Select the affected package
• Switch the view to JSON
• Share the JSON output

This will help determine whether the alert is a false positive. You can also verify the vulnerability details using Wazuh CTI.

If the versions do not match, follow the steps below:  

By default, the Wazuh agent runs the Syscollector scan every hour. It collects package and system details from the endpoint and forwards them to the Wazuh server.

Run the following command on the endpoint CLI:

cat /var/ossec/logs/ossec.log | grep -iE "syscollector"

If it is running every hour, it should show output similar to:
2025/12/02 11:14:07 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/02 11:14:10 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/02 12:14:12 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/02 12:14:43 wazuh-modulesd:syscollector: INFO: Evaluation finished.

If Syscollector is not running, check the Wazuh agent ossec.conf file using this Wazuh documentation.

If Syscollector is running fine on the endpoint, then on the Wazuh manager, check whether there are any agent sync issues or indexer connection errors in ossec.log. Run the below command on the Wazuh manager CLI:
cat /var/ossec/logs/ossec.log | grep -iE "sync|indexer-connector|error|warn"

Check if there are any error or warning logs related to agent sync or indexer connection.
If you find indexer authentication errors, you can update the Wazuh Indexer username and password in the Wazuh manager keystore using the wazuh-keystore tool:
echo '<WAZUH_INDEXER_USERNAME>' | /var/ossec/bin/wazuh-keystore -f indexer -k username
echo '<WAZUH_INDEXER_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k password

Replace <WAZUH_INDEXER_USERNAME> and <WAZUH_INDEXER_PASSWORD> with the correct credentials.

Also, verify the <indexer> configuration section in the Wazuh manager ossec.conf file. You can refer to the Wazuh documentation for configuration validation and more details about updating the keystore.

[exe]

Hi Bony,

thank you for your amazing help!

We found out that the applications are indeed updated, but i just have the problem that Wazuh shows they are disconnected (the endpoints) even tho they are active.

How can i maybe find the root of this problem?

Thank you for the help!