Cyber Resilience

CVE-2025-44824

HighPublic PoC

Published: 07 October 2025

Published
07 October 2025
Modified
06 November 2025
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
EPSS Score 0.0015 35.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-44824 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Nagios Log Server. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Service Stop (T1489); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-44824 is a vulnerability in Nagios Log Server versions before 2024R1.3.2 that enables authenticated users with read-only API access to stop the Elasticsearch service. This occurs via an API call to /nagioslogserver/index.php/api/system/stop?subsystem=elasticsearch, where the service halts despite the response containing the message "Could not stop elasticsearch." The issue stems from CWE-863 (Incorrect Authorization) and carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H), highlighting high availability impact with changed scope.

Low-privileged authenticated users can exploit this remotely over the network with low attack complexity and no user interaction. By issuing the specified API request, they achieve a denial-of-service condition, fully stopping the Elasticsearch service and disrupting log processing and search functionality in the affected Nagios Log Server deployment.

The Nagios changelog at https://www.nagios.com/changelog/#log-server details the fix in version 2024R1.3.2. A proof-of-concept demonstrating the denial-of-service is publicly available at https://github.com/skraft9/nagios-log-server-dos.

EU & UK References

Vulnerability details

Nagios Log Server before 2024R1.3.2 allows authenticated users (with read-only API access) to stop the Elasticsearch service via a /nagioslogserver/index.php/api/system/stop?subsystem=elasticsearch call. The service stops even though "message": "Could not stop elasticsearch" is in the API response. This is GL:NLS#474.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1489 Service Stop Impact
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users.
T1499.002 Service Exhaustion Flood Impact
Adversaries may target the different network services provided by systems to conduct a denial of service (DoS).
T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
Why these techniques?

The vulnerability enables low-privileged authenticated users to remotely stop the Elasticsearch service via API, facilitating Service Stop (T1489), Service Exhaustion Flood via service disruption (T1499.002), and Disable or Modify Tools by impairing the log server's defensive logging capabilities (T1562.001).

CVEs Like This One

CVE-2023-7322Same product: Nagios Log Server
CVE-2025-34271Same product: Nagios Log Server
CVE-2025-34274Same product: Nagios Log Server
CVE-2025-44823Same product: Nagios Log Server
CVE-2025-34277Same product: Nagios Log Server
CVE-2026-2042Same product class: network monitoring / SIEM
CVE-2025-67255Same product class: network monitoring / SIEM
CVE-2024-13999Same product class: network monitoring / SIEM
CVE-2026-2041Same product class: network monitoring / SIEM
CVE-2024-13995Same product class: network monitoring / SIEM

Affected Assets

nagios
log server
2024 · ≤ 2024

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces least privilege to prevent read-only API users from performing high-impact actions like stopping the Elasticsearch service.

prevent

Mandates enforcement of approved authorizations, blocking unauthorized API calls that stop critical services despite read-only access.

prevent

Requires explicit access control decisions for system resources, addressing the incorrect authorization allowing low-privileged users to control the Elasticsearch subsystem.

References