CVE-2025-60425
Published: 27 October 2025
Summary
CVE-2025-60425 is a high-severity Object Hijack (CWE-491) vulnerability in Nagios Fusion. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked in the top 18.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires automatic termination of user sessions upon organization-defined conditions or trigger events, such as enabling 2FA, directly preventing reuse of existing session tokens.
Mandates proper management and invalidation of authenticators, including session tokens, upon organization-defined events like 2FA enablement.
Requires re-authentication for privileged actions or changes with session termination options, mitigating persistent token reuse after 2FA activation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability fails to invalidate session tokens upon enabling 2FA, enabling browser session hijacking (T1185) and continued use of stolen web session cookies as alternate authentication material (T1550.004) for unauthorized access and privilege escalation.
NVD Description
Nagios Fusion v2024R1.2 and v2024R2 does not invalidate already existing session tokens when the two-factor authentication mechanism is enabled, allowing attackers to perform a session hijacking attack.
Deeper analysisAI
CVE-2025-60425 affects Nagios Fusion versions v2024R1.2 and v2024R2, where the software fails to invalidate existing session tokens upon enabling the two-factor authentication (2FA) mechanism. This flaw, classified under CWE-491 (Masking of a Critical Element), enables session hijacking attacks and carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L), indicating high severity due to its network accessibility, low attack complexity, and lack of prerequisites like privileges or user interaction.
Unauthenticated attackers can exploit this vulnerability remotely by obtaining a valid session token prior to 2FA enablement—such as through phishing, malware, or prior unauthorized access—and reusing it post-2FA activation to hijack the victim's session. Successful exploitation grants attackers high integrity impact (I:H), allowing unauthorized actions like configuration changes or data manipulation under the victim's privileges, alongside low confidentiality (C:L) and availability (A:L) impacts.
Advisories and mitigation details are available in the provided references, including the Nagios changelog at https://www.nagios.com/changelog/#fusion for patch information and GitHub repositories https://github.com/aakashtyal/Session-Persistence-After-Enabling-2FA and https://github.com/aakashtyal/Session-Persistence-After-Enabling-2FA-CVE-2025-60425 for technical analysis and proof-of-concept. Security practitioners should review these for upgrade guidance and apply patches promptly.
Details
- CWE(s)