CVE-2025-44823
published 2025-10-07CVE-2025-44823: Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a…
PriorityP267high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
15.57%
96.4th percentile
Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/get_users call. This is GL:NLS#475.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nagios | log_server | < 2024R1.3.2 | 2024R1.3.2 |
| nagios | log_server | < 2024 | 2024 |
| nagios | log_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Nagios Log Server Admin API Credential Disclosure (CVE-2025-44823)"; flow:established,to_server; http.uri; content:"/nagioslogserver/index.php/api/system/get_users|3f|"; fast_pattern; startswith; content:"token|3d|"; reference:url,www.exploit-db.com/exploits/52177; reference:cve,2025-44823; classtype:web-application-attack; sid:2065281; rev:1; metadata:affected_product Nagios, attack_target Server, tls_state TLSDecrypt, created_at 2025_10_21, cve CVE_2025_44823, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Detect HTTP requests to the vulnerable endpoint: URI must start with /nagioslogserver/index.php/api/system/get_users? and include a token= parameter, indicating an authenticated API call attempting to harvest admin credentials.
- →A public exploit is available at exploit-db.com/exploits/52177 — monitor for exploitation attempts originating from known scanning infrastructure targeting this endpoint.
- →The attack is classified under MITRE ATT&CK T1190 (Exploit Public-Facing Application) / TA0001 (Initial Access); correlate with other Initial Access indicators on the same destination server.
- ·The vulnerability is limited to authenticated users — unauthenticated requests will not expose API keys. Detection should account for sessions that already hold valid credentials. ↗
- ·Only Nagios Log Server versions before 2024R1.3.2 are affected; verify the installed version before treating alerts as confirmed exploitation. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Nagios Log Server Admin API Credential Disclosure (CVE-2025-44823)
suricata·2025-10-21·CVSS 9.9
CVE-2025-44823 [CRITICAL] ET WEB_SPECIFIC_APPS Nagios Log Server Admin API Credential Disclosure (CVE-2025-44823)
ET WEB_SPECIFIC_APPS Nagios Log Server Admin API Credential Disclosure (CVE-2025-44823)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Nagios Log Server Admin API Credential Disclosure (CVE-2025-44823)"; flow:established,to_server; http.uri; content:"/nagioslogserver/index.php/api/system/get_users|3f|"; fast_pattern; startswith; content:"token|3d|"; reference:url,www.exploit-db.com/exploits/52177; reference:cve,2025-44823; classtype:web-application-attack; sid:2065281; rev:1; metadata:affected_product Nagios, attack_target Server, tls_state TLSDecrypt, created_at 2025_10_21, cve CVE_2025_44823, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, update
No public exploits indexed.
2025-10-07
Published