CVE-2025-28132

A session management flaw in Nagios Network Analyzer 2024R1.0.3 allows an attacker to reuse session tokens even after a user logs out, leading to unauthorized access and account takeover. This occurs due to insufficient session expiration, where session tokens remain valid beyond logout, allowing an attacker to impersonate users and perform actions on their behalf.

CVSS v3 4.6 MEDIUM

4.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.1 / Impact : 2.5

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/harshal79/Insufficient-Session-Expiration.git	Third Party Advisory
https://www.nagios.com/changelog/#network-analyzer	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:nagios:nagios_network_analyzer:2024:r1.0.3*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-04-01 17:15

Updated : 2025-06-18 13:59

NVD link : CVE-2025-28132

Mitre link : CVE-2025-28132

CVE.ORG link : CVE-2025-28132

JSON object : View

Products Affected

nagios

nagios_network_analyzer

CWE

CWE-613

Insufficient Session Expiration

{"id": "CVE-2025-28132", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.1}]}, "published": "2025-04-01T17:15:46.700", "references": [{"url": "https://github.com/harshal79/Insufficient-Session-Expiration.git", "tags": ["Third Party Advisory"], "source": "[email protected]"}, {"url": "https://www.nagios.com/changelog/#network-analyzer", "tags": ["Release Notes"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "A session management flaw in Nagios Network Analyzer 2024R1.0.3 allows an attacker to reuse session tokens even after a user logs out, leading to unauthorized access and account takeover. This occurs due to insufficient session expiration, where session tokens remain valid beyond logout, allowing an attacker to impersonate users and perform actions on their behalf."}, {"lang": "es", "value": "Una falla en la gesti\u00f3n de sesiones en Nagios Network Analyzer 2024R1.0.3 permite a un atacante reutilizar tokens de sesi\u00f3n incluso despu\u00e9s de que un usuario cierre sesi\u00f3n, lo que provoca accesos no autorizados y robo de cuentas. Esto se debe a una expiraci\u00f3n de sesi\u00f3n insuficiente, donde los tokens de sesi\u00f3n siguen siendo v\u00e1lidos despu\u00e9s del cierre de sesi\u00f3n, lo que permite a un atacante suplantar la identidad de los usuarios y realizar acciones en su nombre."}], "lastModified": "2025-06-18T13:59:16.210", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nagios:nagios_network_analyzer:2024:r1.0.3*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A3CC310B-9B87-4EF0-856B-3B141C5AF90E"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}