CVE-2025-44823
Published: 07 October 2025
Summary
CVE-2025-44823 is a critical-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability in Nagios Log Server. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked in the top 25.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to restrict low-privilege authenticated users from accessing sensitive administrative API keys via the vulnerable endpoint.
Requires identification, reporting, and correction of flaws like this improper access control vulnerability through timely patching to Nagios Log Server 2024R1.3.2 or later.
Implements least privilege to ensure authenticated users only access resources necessary for their roles, mitigating exposure of administrative API keys.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows low-privileged authenticated users to exploit an API endpoint for credential access (T1212), enabling privilege escalation (T1068) and exploitation of a remote service (T1210).
NVD Description
Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/get_users call. This is GL:NLS#475.
Deeper analysisAI
CVE-2025-44823 is a critical vulnerability in Nagios Log Server versions prior to 2024R1.3.2, stemming from improper restriction of knowledge to authenticated users (CWE-497). It allows any authenticated user to retrieve cleartext administrative API keys through an unauthenticated API endpoint at /nagioslogserver/index.php/api/system/get_users. The issue, tracked internally as GL:NLS#475, carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), highlighting its severe potential impact across confidentiality, integrity, and availability with a changed scope.
An attacker with low-privilege authenticated access, such as a standard user account, can exploit this remotely over the network with minimal complexity and no user interaction required. Successful exploitation exposes sensitive administrative API keys in plaintext, enabling privilege escalation to full administrative control. This could allow attackers to manipulate server configurations, access logs, execute arbitrary actions via the API, or pivot to further compromise the environment.
Advisories reference a proof-of-concept exploit available on Exploit-DB (ID 52177) and point to the Nagios changelog for patch details. Mitigation involves upgrading to Nagios Log Server 2024R1.3.2 or later, which addresses the flaw by restricting access to administrative data in the affected API call.
Public availability of an Exploit-DB entry indicates active interest from the security research community, though no widespread real-world exploitation has been reported as of the CVE publication on 2025-10-07.
Details
- CWE(s)