researchers have identified two critical in Nagios Log Server, the enterprise log management solution widely used for centralized logging, real-time monitoring, and alerting. The , tracked as CVE-2025-44823 and CVE-2025-44824, could allow authenticated users to retrieve plaintext administrative API keys or disable the Elasticsearch service entirely, leading to loss of visibility and potential full system compromise.
Both affect Nagios Log Server versions prior to 2024R1.3.2, and administrators are urged to update immediately to the latest release to mitigate exploitation risks.
The first , CVE-2025-44823, rated 9.9 (Critical), resides in the /nagioslogserver/index.php/api/system/get_users API endpoint. According to the advisory, “Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/get_users call.”
In simpler terms, any user with a valid API token — even a low-privilege account — can invoke this API endpoint and obtain the full list of all registered users, including their plaintext API keys. This exposure completely undermines authentication controls and allows for privilege escalation to administrative roles.
The CVE description wrote: “An API-level … allows any user with a valid API token to retrieve a full list of user accounts along with their plaintext API keys, including administrator credentials.”
A proof-of-concept (PoC) demonstrates how trivial exploitation can be:
curl -X GET "http://<target-ip>/nagioslogserver/index.php/api/system/get_users?token=<valid_token>"The server responds with a JSON array containing user details and their associated keys:
[
{
"name": "devadmin",
"username": "devadmin",
"email": "[email protected]",
"apikey": "dcaa1693a79d651ebc29d45c879b3fbbc730d2de",
"auth_type": "admin"
}
]With administrative API keys exposed, an attacker can impersonate privileged accounts, manipulate system configurations, and access or modify all log data, effectively taking control of the monitoring infrastructure. This creates significant risk in environments where Nagios Log Server monitors sensitive operational or data.
The vendor’s updated version, 2024R1.3.2, corrects the issue by restricting access to user and key listings and ensuring that API responses never include plaintext credentials.
The second , CVE-2025-44824, rated 8.5 (High), affects the /nagioslogserver/index.php/api/system/stop endpoint. This vulnerability allows any authenticated user with read-only API access to stop the underlying Elasticsearch subsystem, effectively disabling the entire log monitoring function.
The CVE description notes:
“Nagios Log Server before 2024R1.3.2 allows authenticated users (with read-only API access) to stop the Elasticsearch service via a /nagioslogserver/index.php/api/system/stop?subsystem=elasticsearch call.”
What makes the issue particularly deceptive is that the API returns an incorrect error message, misleading administrators into thinking the shutdown failed. The response states “status”: “error”, “message”: “Could not stop elasticsearch”, even though the service has indeed been terminated.
An example exploit request shows how easy it is to trigger the issue:
curl -X POST "http://<target-ip>/nagioslogserver/index.php/api/system/stop?subsystem=elasticsearch&token=<valid_token>"Despite the “error” message, Elasticsearch stops running, halting all log indexing and query operations. This vulnerability can be weaponized to perform denial-of-service (DoS) attacks, disrupting real-time log ingestion and analysis across enterprise networks.
In production environments, such an attack could blind security teams by eliminating alert visibility and disabling compliance logging. It also poses a secondary risk: malicious insiders could use this exploit to erase traces of other attacks by interrupting log collection processes.
Version 2024R1.3.2 introduces stricter authorization checks, ensuring that only administrative-level API tokens can execute service control operations and returning accurate response codes.
- Nagios XI Vulnerabilities: A Serious Risk to Organizations
- PoC Exploit Released for Nagios XI RCE Flaw Allows Attackers to Hijack Servers
- CVE-2024-24401 & 24402: Nagios XI Security Flaws Found! PoC Published
- GitHub admitted to record some Plaintext Passwords in Its Internal Logs
- Hitachi Energy’s Asset Suite Hit by Multiple Critical Vulnerabilities
