CVE-2025-34271

CRITICAL

Nagios Log Server < 2024 - Cleartext Transmission

Title source: rule

Description

Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the cluster manager component when requesting sensitive credentials from peer nodes over an unencrypted channel even when SSL/TLS is enabled in the product configuration. As a result, an attacker positioned on the network path can intercept credentials in transit. Captured credentials could allow the attacker to authenticate as a cluster node or service account, enabling further unauthorized access, lateral movement, or system compromise.

References (3)

[Vendor Advisory] https://www.nagios.com/products/security/#log-server-2024R2

[Release Notes] https://www.nagios.com/changelog/#log-server

[Third Party Advisory] https://www.vulncheck.com/advisories/nagios-log-server-cluster-manager-credential-requests-sent-over-plaintext

Scores

CVSS v3 9.8

EPSS 0.0106

EPSS Percentile 77.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-319

Status published

Products (2)

nagios/log_server 2024 r1 (13 CPE variants)

nagios/log_server < 2024

Published Oct 30, 2025

Tracked Since Feb 18, 2026