cbcvebase.
CVE-2025-44823
published 2025-10-07

CVE-2025-44823: Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a…

PriorityP267high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
15.57%
96.4th percentile
Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/get_users call. This is GL:NLS#475.

Affected

3 ranges
VendorProductVersion rangeFixed in
nagioslog_server< 2024R1.3.22024R1.3.2
nagioslog_server< 20242024
nagioslog_server

Detection & IOCsextracted from sources · hover to see the quote

url/nagioslogserver/index.php/api/system/get_users
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Nagios Log Server Admin API Credential Disclosure (CVE-2025-44823)"; flow:established,to_server; http.uri; content:"/nagioslogserver/index.php/api/system/get_users|3f|"; fast_pattern; startswith; content:"token|3d|"; reference:url,www.exploit-db.com/exploits/52177; reference:cve,2025-44823; classtype:web-application-attack; sid:2065281; rev:1; metadata:affected_product Nagios, attack_target Server, tls_state TLSDecrypt, created_at 2025_10_21, cve CVE_2025_44823, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect HTTP requests to the vulnerable endpoint: URI must start with /nagioslogserver/index.php/api/system/get_users? and include a token= parameter, indicating an authenticated API call attempting to harvest admin credentials.
  • A public exploit is available at exploit-db.com/exploits/52177 — monitor for exploitation attempts originating from known scanning infrastructure targeting this endpoint.
  • The attack is classified under MITRE ATT&CK T1190 (Exploit Public-Facing Application) / TA0001 (Initial Access); correlate with other Initial Access indicators on the same destination server.
  • ·The vulnerability is limited to authenticated users — unauthenticated requests will not expose API keys. Detection should account for sessions that already hold valid credentials.
  • ·Only Nagios Log Server versions before 2024R1.3.2 are affected; verify the installed version before treating alerts as confirmed exploitation.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.