The Nagios Security Team has fixed three critical vulnerabilities affecting popular enterprise log management and analysis platform Nagios Log Server.
About the flaws
The vulnerabilities, discovered and reported by security researchers Seth Kraft and Alex Tisdale, include:
1. A stored XSS vulnerability (CVE-2025-29471) in the web interface of Nagios Log Server that allows a standard (low-privilege) user to inject a malicious JavaScript payload into their profile’s ’email’ field to achieve privilege escalation.
“When an administrator views the audit logs, the script executes, resulting in privilege escalation via unauthorized admin account creation,” Kraft says. “The vulnerability can be chained to achieve remote code execution (RCE) in certain configurations.”
2. A DoS vulnerability (CVE pending) that could allow a non-admin users to shut down Elasticsearch – a code dependency of Nagion Log Server – via the API.
“If Elasticsearch is stopped, logs cannot be indexed, alerts cannot be generated, and historical data retrieval fails,” Kraft explained.
3. An information disclosure vulnerability (CVE pending) that allows any low-level user (with API read-only access) to perform a “get_users” API request and grab API keys (tokens) for all read-only and admin users in plaintext.
“This flaw enables user enumeration, privilege escalation, and full system compromise via unauthorized use of exposed tokens,” Tisdale noted.
Fixes and PoC exploits available
The vulnerabilities affect Nagios Log Server version 2024R1.3.1 and have been fixed in:
Users looking to switch to Nagios Log Server 2024R2 should known that it is a fully new version, with a new front and back end, and that due to the latter an in-place upgrade from 2024R1 to 2024R2 is not possible.
While machines running Nagios Log Server are rarely internet-facing and the three vulnerabilities can be leveraged only by authenticated attackers, proof-of-concept (PoC) exploits for two of them are already public, organizations should nevertheless upgrade/migrate to a fixed version sooner rather than later.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
