CVE-2025-28059

An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/aakashtyal/Residual-Data-Access-Post-User-Deletion-in-Nagios-Network-Analyzer-Version-2024R1	Third Party Advisory
https://www.nagios.com/changelog/#network-analyze	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:nagios:network_analyzer:2024:r1.0.3:*:*:*:*:*:*

History

No history.

Information

Published : 2025-04-18 17:15

Updated : 2025-07-11 13:33

NVD link : CVE-2025-28059

Mitre link : CVE-2025-28059

CVE.ORG link : CVE-2025-28059

JSON object : View

Products Affected

nagios

network_analyzer

CWE

CWE-613

Insufficient Session Expiration

{"id": "CVE-2025-28059", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-04-18T17:15:34.700", "references": [{"url": "https://github.com/aakashtyal/Residual-Data-Access-Post-User-Deletion-in-Nagios-Network-Analyzer-Version-2024R1", "tags": ["Third Party Advisory"], "source": "[email protected]"}, {"url": "https://www.nagios.com/changelog/#network-analyze", "tags": ["Release Notes"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions."}, {"lang": "es", "value": "Una vulnerabilidad de control de acceso en Nagios Network Analyzer 2024R1.0.3 permite que usuarios eliminados conserven el acceso a los recursos del sistema debido a la invalidaci\u00f3n incorrecta de sesiones y al manejo de tokens obsoletos. Cuando un administrador elimina una cuenta de usuario, el backend no finaliza las sesiones activas ni revoca los tokens de API asociados, lo que permite el acceso no autorizado a funciones restringidas."}], "lastModified": "2025-07-11T13:33:38.457", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nagios:network_analyzer:2024:r1.0.3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9896555A-4661-43E4-970C-625C091639D2"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}