CVE-2025-44823

Published: Oct 7, 2025Modified: Nov 6, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/get_users call. This is GL:NLS#475.

Affected (8)

Products: Nagios: Log Server

Nagios

1 product

Log Server

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Nagios Log Server	Before 2024
Nagios Log Server	Version 2024 r1.0.1
Nagios Log Server	Version 2024 r1.0.2
Nagios Log Server	Version 2024 r1.1
Nagios Log Server	Version 2024 r1.2
Nagios Log Server	Version 2024 r1.3.1
Nagios Log Server	Version 2024 r1.3
Nagios Log Server	Version 2024 r1

Related CWEs

CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

References (3)

https://www.exploit-db.com/exploits/52177

Source: cve@mitre.org

ExploitVDB Entry

https://www.nagios.com/changelog/#log-server

Source: cve@mitre.org

Release Notes

https://www.exploit-db.com/exploits/52177

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitVDB Entry

Timeline

No history available yet.