CVE-2025-60424

HIGH

Nagios Fusion <2024R2 - Auth Bypass

Title source: llm

Description

A lack of rate limiting in the OTP verification component of Nagios Fusion v2024R1.2 and v2024R2 allows attackers to bypass authentication via a bruteforce attack.

Exploits (2)

github SCANNER 2 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-60424

View Code ZIP pw:eip

nomisec WRITEUP

by aakashtyal · poc

https://github.com/aakashtyal/2FA-Bypass-using-a-Brute-Force-Attack-CVE-2025-60424

View Code ZIP pw:eip

References (3)

[Mitigation, Third Party Advisory] https://github.com/aakashtyal/2FA-Bypass-using-a-Brute-Force-Attack

[Mitigation, Third Party Advisory] https://github.com/aakashtyal/2FA-Bypass-using-a-Brute-Force-Attack-CVE-2025-60424

[Release Notes] https://www.nagios.com/changelog/#fusion

Scores

CVSS v3 7.6

EPSS 0.0011

EPSS Percentile 28.9%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Details

CWE

CWE-287 CWE-307

Status published

Products (1)

nagios/fusion 2024 r1.2 (2 CPE variants)

Published Oct 27, 2025

Tracked Since Feb 18, 2026