CVE-2025-44823

CRITICAL

Nagios Log Server <2024R1.3.2 - Info Disclosure

Title source: llm

Description

Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/get_users call. This is GL:NLS#475.

Exploits (2)

exploitdb WORKING POC

by Seth Kraft · webappsmultiple

https://www.exploit-db.com/exploits/52177

View Code ZIP pw:eip

nomisec WORKING POC

by skraft9 · poc

https://github.com/skraft9/CVE-2025-44823

View Code ZIP pw:eip

References (2)

[Exploit, VDB Entry] https://www.exploit-db.com/exploits/52177

[Release Notes] https://www.nagios.com/changelog/#log-server

Scores

CVSS v3 9.9

EPSS 0.0062

EPSS Percentile 70.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-497

Status published

Products (2)

nagios/log_server 2024 r1 (7 CPE variants)

nagios/log_server < 2024

Published Oct 07, 2025

Tracked Since Feb 18, 2026