CVE-2025-28132

MEDIUM

Nagios Network Analyzer - Insufficient Session Expiration

Title source: rule

Description

A session management flaw in Nagios Network Analyzer 2024R1.0.3 allows an attacker to reuse session tokens even after a user logs out, leading to unauthorized access and account takeover. This occurs due to insufficient session expiration, where session tokens remain valid beyond logout, allowing an attacker to impersonate users and perform actions on their behalf.

References (2)

[Third Party Advisory] https://github.com/harshal79/Insufficient-Session-Expiration.git

View Writeup ZIP pw:eip

[Release Notes] https://www.nagios.com/changelog/#network-analyzer

Scores

CVSS v3 4.6

EPSS 0.0015

EPSS Percentile 35.3%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-613

Status published

Products (1)

nagios/nagios_network_analyzer 2024 r1.0.3*

Published Apr 01, 2025

Tracked Since Feb 18, 2026