Nagios patches multiple flaws in their Log Server, at least one critical

Nagios has patched multiple security vulnerabilities affecting its Log Server platform. The flaws expose enterprise monitoring infrastructure to unauthorized administrative access and service disruption attacks.

Vulnerabilities summary:

• CVE-2025-44823 (CVSS score 9.9) allows any authenticated user to retrieve cleartext administrative API keys through a simple GET request. Attackers can access the vulnerable endpoint at /nagioslogserver/index.php/api/system/get_users and gain access to administrative API credentials that can be used for complete system compromise.
• CVE-2025-44824 (CVSS score 8.5), enables authenticated users with read-only API access to stop the Elasticsearch service, which is a critical dependency of Nagios Log Server. Attackers can call the /nagioslogserver/index.php/api/system/stop?subsystem=elasticsearch endpoint, terminating the service despite the API response incorrectly indicating "Could not stop elasticsearch." The disruption of Elasticsearch halts log ingestion, impairs alerting capabilities, and compromises overall monitoring effectiveness.

Affected versions are all Nagios Log Server versions prior to 2024R1.3.2

Versions that are not affected:

• Nagios Log Server version 2024R1.3.2 and all later versions
• Nagios Log Server version 2024R2 and all later versions

Organizations running affected Nagios Log Server versions should upgrade to version 2024R1.3.2 or later to address both vulnerabilities. 

As a precautionary measure, all API keys should be rotated immediately after upgrading to the fixed version. Organizations should also review audit logs for unauthorized access attempts to the /nagioslogserver/index.php/api/system/get_users endpoint and any unexpected service stop commands targeting Elasticsearch.

As a mitigating measure for organizations that cannot immediately upgrade, administrators should implement network-level access controls to restrict access to the Nagios Log Server web interface.