Overview

CVE: CVE-2025-44823
Severity: Critical
Date: 09 October 2025

A critical vulnerability (CVE-2025-44823) has been disclosed in Nagios Log Server, allowing authenticated users to retrieve cleartext administrative API keys through a direct API call. Exploitation of this flaw could lead to unauthorised administrative access and lateral movement across log analysis infrastructure.

This vulnerability is confirmed to affect all versions prior to 2024R1.3.2, and an exploit has been publicly released.

 

Affected Versions

  • Nagios Log Server 2024R1.3.1 and below.

 

Vulnerability Breakdown

CVE-2025-44823 – API Key Exposure Leading to Privilege Escalation

  • Type: Information Disclosure, Privilege Escalation
  • Severity: Critical
  • CVSS Score: 99
  • Description: An API-level vulnerability allows any authenticated user with a valid API token to send a request to the /api/system/get_users endpoint and receive a full list of user accounts along with their plaintext API keys.
  • Impact: Complete system compromise. An attacker can use an exposed administrator API key to gain full control of the Nagios Log Server instance.

 

Mitigation

Nagios has released software updates to address this vulnerability. The issue was fixed in version 2024R2, released on March 19, 2025, and in version 2024R1.3.2, released on April 9, 2025.

  • Upgrade all instances of Nagios Log Server to version 2024R2 or 2024R1.3.2 immediately.
  • Crucially, rotate all user API keys after applying the software update. Assume that any keys present before the upgrade may have been compromised.
  • Audit logs for any unusual or unauthorised requests to the /api/system/get_users endpoint.
  • No viable workarounds exist. Patching is mandatory.

Summary for IT Teams

  • Products: Nagios Log Server
  • Threat Level: Critical
  • Action Required:
    • Identify and apply patches to all affected Nagios Log Server installations, upgrading to a secure version.
    • Rotate all API keys for all users immediately following the upgrade.
    • Proactively hunt for indicators of compromise by auditing logs for suspicious API calls.
    • Isolate potentially compromised devices from the production network until they can be fully remediated.

Reference

 

Need Help?

If your organisation requires assistance identifying affected systems, applying updates or adjusting controller configurations, our team is here to help. Email us via soc@secure-iss.com for assistance.