CVE-2025-34271

Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the cluster manager component when requesting sensitive credentials from peer nodes over an unencrypted channel even when SSL/TLS is enabled in the product configuration. As a result, an attacker positioned on the network path can intercept credentials in transit. Captured credentials could allow the attacker to authenticate as a cluster node or service account, enabling further unauthorized access, lateral movement, or system compromise.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.nagios.com/changelog/#log-server	Release Notes
https://www.nagios.com/products/security/#log-server-2024R2	Vendor Advisory
https://www.vulncheck.com/advisories/nagios-log-server-cluster-manager-credential-requests-sent-over-plaintext	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nagios:log_server::::::::
	cpe:2.3:a:nagios:log_server:2024:r1::::::
	cpe:2.3:a:nagios:log_server:2024:r1.0.1::::::
	cpe:2.3:a:nagios:log_server:2024:r1.0.2::::::
	cpe:2.3:a:nagios:log_server:2024:r1.1::::::
	cpe:2.3:a:nagios:log_server:2024:r1.2::::::
	cpe:2.3:a:nagios:log_server:2024:r1.3::::::
	cpe:2.3:a:nagios:log_server:2024:r1.3.1::::::
	cpe:2.3:a:nagios:log_server:2024:r1.3.2::::::
	cpe:2.3:a:nagios:log_server:2024:r1.3.3::::::
	cpe:2.3:a:nagios:log_server:2024:r1.3.4::::::
	cpe:2.3:a:nagios:log_server:2024:r1.3.5::::::
	cpe:2.3:a:nagios:log_server:2024:r2::::::
	cpe:2.3:a:nagios:log_server:2024:r2.0.1::::::

History

06 Nov 2025, 16:29

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
References	~~() https://www.nagios.com/changelog/#log-server -~~	() https://www.nagios.com/changelog/#log-server - Release Notes
References	~~() https://www.nagios.com/products/security/#log-server-2024R2 -~~	() https://www.nagios.com/products/security/#log-server-2024R2 - Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/nagios-log-server-cluster-manager-credential-requests-sent-over-plaintext -~~	() https://www.vulncheck.com/advisories/nagios-log-server-cluster-manager-credential-requests-sent-over-plaintext - Third Party Advisory
CPE		cpe:2.3:a:nagios:log_server:2024:r1.3.2:::::: cpe:2.3:a:nagios:log_server:2024:r1:::::: cpe:2.3:a:nagios:log_server:2024:r1.3.4:::::: cpe:2.3:a:nagios:log_server:2024:r1.0.2:::::: cpe:2.3:a:nagios:log_server:2024:r1.1:::::: cpe:2.3:a:nagios:log_server:2024:r1.3:::::: cpe:2.3:a:nagios:log_server:::::::: cpe:2.3:a:nagios:log_server:2024:r1.3.3:::::: cpe:2.3:a:nagios:log_server:2024:r1.2:::::: cpe:2.3:a:nagios:log_server:2024:r1.3.1:::::: cpe:2.3:a:nagios:log_server:2024:r1.0.1:::::: cpe:2.3:a:nagios:log_server:2024:r2.0.1:::::: cpe:2.3:a:nagios:log_server:2024:r1.3.5:::::: cpe:2.3:a:nagios:log_server:2024:r2::::::
First Time		Nagios log Server Nagios

30 Oct 2025, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-10-30 22:15

Updated : 2025-11-06 16:29

NVD link : CVE-2025-34271

Mitre link : CVE-2025-34271

CVE.ORG link : CVE-2025-34271

JSON object : View

Products Affected

nagios

log_server

CWE

CWE-319

Cleartext Transmission of Sensitive Information

9.8 /10