CVE-2025-34270

MEDIUM

Nagios Log Server < 2024 - Insufficiently Protected Credentials

Title source: rule

Description

Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the AD/LDAP user import functionality as it fails to obfuscate the password field during import. As a result, the plaintext password supplied for imported accounts may be exposed in the user interface, logs, or other diagnostic output. This can leak sensitive credentials to administrators or anyone with access to import results.

References (4)

[Vendor Advisory] https://www.nagios.com/products/security/#log-server-2024R2

[Release Notes] https://www.nagios.com/changelog/#log-server

[Not Applicable] https://support.nagios.com/kb/article/authenticating-and-importing-users-with-ad-and-ldap-995.html

[Third Party Advisory] https://www.vulncheck.com/advisories/nagios-log-server-ad-ldap-import-password-not-obfuscated

Scores

CVSS v3 4.9

EPSS 0.0010

EPSS Percentile 26.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-522 CWE-312

Status published

Products (2)

nagios/log_server 2024 r1 (13 CPE variants)

nagios/log_server < 2024

Published Oct 30, 2025

Tracked Since Feb 18, 2026