CVE-2025-44824

HighPublic PoC

Published: 07 October 2025

Published

07 October 2025

Modified

06 November 2025

KEV Added

—

Patch

—

CVSS Score 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H

EPSS Score 0.0016 36.5th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-44824 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Nagios Log Server. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Service Stop (T1489); ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Service Stop (T1489) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match

prevent

Enforces least privilege to prevent read-only API users from performing high-impact actions like stopping the Elasticsearch service.

AC-3 Access Enforcement good match

prevent

Mandates enforcement of approved authorizations, blocking unauthorized API calls that stop critical services despite read-only access.

AC-24 Access Control Decisions good match

prevent

Requires explicit access control decisions for system resources, addressing the incorrect authorization allowing low-privileged users to control the Elasticsearch subsystem.

MITRE ATT&CK Enterprise TechniquesAI

T1489 Service Stop Impact

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users.

attack.mitre.org →

T1499.002 Service Exhaustion Flood Impact

Adversaries may target the different network services provided by systems to conduct a denial of service (DoS).

attack.mitre.org →

T1685 Disable or Modify Tools Defense Impairment

Adversaries may disable, degrade, or tamper with security tools or applications (e.

attack.mitre.org →

Why these techniques?

The vulnerability enables low-privileged authenticated users to remotely stop the Elasticsearch service via API, facilitating Service Stop (T1489), Service Exhaustion Flood via service disruption (T1499.002), and Disable or Modify Tools by impairing the log server's defensive logging capabilities (T1562.001).

NVD Description

Nagios Log Server before 2024R1.3.2 allows authenticated users (with read-only API access) to stop the Elasticsearch service via a /nagioslogserver/index.php/api/system/stop?subsystem=elasticsearch call. The service stops even though "message": "Could not stop elasticsearch" is in the API response. This is GL:NLS#474.

Deeper analysisAI

CVE-2025-44824 is a vulnerability in Nagios Log Server versions before 2024R1.3.2 that enables authenticated users with read-only API access to stop the Elasticsearch service. This occurs via an API call to /nagioslogserver/index.php/api/system/stop?subsystem=elasticsearch, where the service halts despite the response containing the message "Could not stop elasticsearch." The issue stems from CWE-863 (Incorrect Authorization) and carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H), highlighting high availability impact with changed scope.

Low-privileged authenticated users can exploit this remotely over the network with low attack complexity and no user interaction. By issuing the specified API request, they achieve a denial-of-service condition, fully stopping the Elasticsearch service and disrupting log processing and search functionality in the affected Nagios Log Server deployment.

The Nagios changelog at https://www.nagios.com/changelog/#log-server details the fix in version 2024R1.3.2. A proof-of-concept demonstrating the denial-of-service is publicly available at https://github.com/skraft9/nagios-log-server-dos.

Details

CWE(s): CWE-863

Affected Products

nagios

log server

2024 · ≤ 2024

CVEs Like This One

CVE-2023-7322Same product: Nagios Log Server

CVE-2025-34271Same product: Nagios Log Server

CVE-2025-34277Same product: Nagios Log Server

CVE-2025-34274Same product: Nagios Log Server

CVE-2025-44823Same product: Nagios Log Server

CVE-2025-60425Same product class: network monitoring / SIEM

CVE-2023-7317Same product class: network monitoring / SIEM

CVE-2024-14005Same product class: network monitoring / SIEM

CVE-2025-67255Same product class: network monitoring / SIEM

CVE-2026-2041Same product class: network monitoring / SIEM

References

https://github.com/skraft9/nagios-log-server-dos
Exploit, Third Party Advisory · cve@mitre.org
https://www.nagios.com/changelog/#log-server
Release Notes · cve@mitre.org
https://github.com/skraft9/nagios-log-server-dos
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0