Vulnerability Description
Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the cluster manager component when requesting sensitive credentials from peer nodes over an unencrypted channel even when SSL/TLS is enabled in the product configuration. As a result, an attacker positioned on the network path can intercept credentials in transit. Captured credentials could allow the attacker to authenticate as a cluster node or service account, enabling further unauthorized access, lateral movement, or system compromise.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nagios | Log Server | < 2024 |
Related Weaknesses (CWE)
References
- https://www.nagios.com/changelog/#log-serverRelease Notes
- https://www.nagios.com/products/security/#log-server-2024R2Vendor Advisory
- https://www.vulncheck.com/advisories/nagios-log-server-cluster-manager-credentiaThird Party Advisory
FAQ
What is CVE-2025-34271?
CVE-2025-34271 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the cluster manager component when requesting sensitive credentials from peer nodes over an unencrypted channel even when SSL/...
How severe is CVE-2025-34271?
CVE-2025-34271 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-34271?
Check the references section above for vendor advisories and patch information. Affected products include: Nagios Log Server.