CVE-2025-28059

HIGH

Nagios Network Analyzer - Insufficient Session Expiration

Title source: rule
STIX 2.1

Description

An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions.

References (2)

Scores

CVSS v3 7.5
EPSS 0.0106
EPSS Percentile 77.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-613
Status published
Products (1)
nagios/network_analyzer 2024 r1.0.3
Published Apr 18, 2025
Tracked Since Feb 18, 2026