Introducing Wazuh CTI

The Wazuh Cyber Threat Intelligence (CTI) service is a publicly accessible platform that collects, analyzes, and disseminates actionable information on emerging cyber threats and vulnerabilities.
The service launches with a focus on vulnerability intelligence, delivering timely updates on Common Vulnerabilities and Exposures (CVEs), severity scores, exploitability insights, and mitigation strategies. It aggregates and sanitizes data from trusted sources, including operating system vendors and major vulnerability databases, to ensure high-quality, relevant intelligence. This data enables Wazuh users and organizations to reduce their attack surface and minimize the risk of exploitation and data breaches.
Wazuh 5.0 will expand the CTI service to support additional threat intelligence domains, including Indicators of Compromise (IOCs) such as IP addresses, file hashes, and URLs. In this future release, Wazuh threat detection rules will also be provided directly from the Wazuh CTI platform.
In this blog post, we show how Wazuh CTI enhances your security operations with actionable threat intelligence, uncovering vulnerabilities and improving detection and response.
The Wazuh CTI platform gathers vulnerability data from a defined set of trusted sources, including official feeds from operating system vendors and reputable security databases. The sources include:
Wazuh CTI currently focuses on vulnerability intelligence, using a structured process to ensure the accuracy and consistency of the data it ingests.
After completing all these steps, the processed vulnerability data is merged and uploaded to the repository, then published through the Wazuh CTI API.
The Wazuh CTI API powers both the public threat intelligence website and the vulnerability detection feature within the Wazuh XDR & SIEM unified platform. The service is accessible either through the Wazuh CTI website or from the Wazuh dashboard by navigating to the Vulnerability Detection section.
The Wazuh CTI website is open to the public and requires no Wazuh installation. It features a robust search tool for filtering vulnerabilities by CVE ID, affected application, CVSS score, severity, and publication date, with customizable sorting.
The image below shows the Wazuh CTI web interface.
You can also explore CVE data by source, view yearly vulnerability trends, and see the most frequently searched vulnerabilities.
Starting with Wazuh 4.12, you can access Wazuh CTI directly from vulnerability alerts in the dashboard. To do this, just navigate to Vulnerability Detection > Inventory, and click the vulnerability.id
of any unresolved issue to open detailed threat intelligence on the Wazuh CTI website. For example, clicking CVE-2025-0411 shows information related to a vulnerable 7-Zip package.
You will be redirected to the Wazuh CTI, where you can find more information on the detected vulnerability. This information includes description, affected operating systems and software versions, the severity metrics, and additional references about the vulnerability.
The image below shows the detected CVE-2025-0411 vulnerability on the Wazuh CTI website. This vulnerability in 7-Zip allows remote attackers to bypass the Mark-of-the-Web (MotW) security mechanism.
The Wazuh CTI is a global threat intelligence service that collects, analyzes, and shares information about potential cyber threats and vulnerabilities. While it currently focuses on vulnerability intelligence, future updates will introduce broader threat intelligence domains. The CTI will also provide updates for the Wazuh ruleset to further enhance threat detection and response.
If you have any questions about this blog post or Wazuh, we invite you to join our community, where our team can assist you.