CVE-2025-34298

HIGH

Nagios Log Server < 2024 - Privilege Escalation

Title source: rule

Description

Nagios Log Server versions prior to 2024R1.3.2 contain a privilege escalation vulnerability in the account email-change workflow. A user could set their own email to an invalid value and, due to insufficient validation and authorization checks tied to email identity state, trigger inconsistent account state that granted elevated privileges or bypassed intended access controls.

References (2)

[Release Notes] https://www.nagios.com/changelog/nagios-log-server-2024r1/

[Third Party Advisory] https://www.vulncheck.com/advisories/nagios-log-server-set-email-privilege-escalation

Scores

CVSS v3 8.8

EPSS 0.0009

EPSS Percentile 24.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-281

Status published

Products (2)

nagios/log_server 2024 r1 (7 CPE variants)

nagios/log_server < 2024

Published Oct 30, 2025

Tracked Since Feb 18, 2026