CVE-2025-49844 not in offline ZIP VULN Database but in CTI
53 views
Skip to first unread message
No Data
Oct 9, 2025, 6:18:45 AM (yesterday) Oct 9
to Wazuh | Mailing List
HI,
the cve-2025-49844 is in the CTI https://cti.wazuh.com/vulnerabilities/cves/CVE-2025-49844, but not in the newest snapshot zip. https://cti.wazuh.com/store/contexts/vd_1.0.0/consumers/vd_4.8.0/2839379_1759749722.zip
Can someone explain why?
With best Regards
Damian Alfredo Mangold
Oct 9, 2025, 6:54:28 AM (yesterday) Oct 9
to Wazuh | Mailing List
The reason you don’t see that vulnerability in the snapshot is because snapshots are generated once a week, usually on Mondays. At the time the latest snapshot was created, that CVE was not yet part of the published dataset.
In the CTI platform, CVEs are updated daily and can be retrieved through offsets when the Wazuh manager is running in normal mode (i.e., not in offline mode).
No Data
Oct 9, 2025, 7:05:50 AM (yesterday) Oct 9
to Wazuh | Mailing List
Thanks for your answer, so you mean, if i run the vulnerability detector in offline mode i get the data with a one week delay? thats realy odd and should be explained in the dokumentation.
the problem is, i cant run it in normal mode, because the server has no direct internet connection.
im confused.
Damian Alfredo Mangold
Oct 9, 2025, 7:46:52 AM (yesterday) Oct 9
to Wazuh | Mailing List
In the documentation, it is mentioned that “Wazuh regularly publishes a snapshot of its threat intelligence repository.”
Currently, the publication cadence is once per week.
You can run the following command to check the date when the latest snapshot was generated:
curl -s -X GET https://cti.wazuh.com/api/v1/catalog/contexts/vd_1.0.0/consumers/vd_4.8.0 | jq -r '.data | "\(.last_snapshot_link)\n\(.last_snapshot_at)"'
This will display both the snapshot download link and the timestamp of its creation.
Currently, the publication cadence is once per week.
You can run the following command to check the date when the latest snapshot was generated:
curl -s -X GET https://cti.wazuh.com/api/v1/catalog/contexts/vd_1.0.0/consumers/vd_4.8.0 | jq -r '.data | "\(.last_snapshot_link)\n\(.last_snapshot_at)"'
This will display both the snapshot download link and the timestamp of its creation.
No Data
Oct 9, 2025, 8:20:45 AM (yesterday) Oct 9
to Wazuh | Mailing List
i know how to get the latest snapshot. but no where in the documentation is the cadence time explained.
in my opinion we talking over an high secuity system that never should be connected to the internet. so it is a little bit odd, that i get CVE Data older than 6 days.
but ok, its free at this point and so i must live with this decicion.
Damian Alfredo Mangold
Oct 9, 2025, 9:23:00 AM (yesterday) Oct 9
to Wazuh | Mailing List
I’ll forward your suggestion to the documentation team so they can consider clarifying the snapshot generation cadence in the official documentation.
Thank you for your feedback! It helps us improve the information we provide to the community.
Thank you for your feedback! It helps us improve the information we provide to the community.
Reply all
Reply to author
Forward
0 new messages