Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-34270

Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the AD/LDAP user import functionality as it fails to obfuscate the password field during import. As a result, the plaintext password supplied for imported accounts may be exposed in the user interface, logs, or other diagnostic output. This can leak sensitive credentials to administrators or anyone with access to import results.

Published

2025-10-30T22:15:47.533

Last Modified

2025-11-06T16:31:27.530

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 4.9 (MEDIUM)

Weaknesses

Type: Secondary
CWE-312
CWE-522

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nagios	log_server	< 2024	Yes
Application	nagios	log_server	2024	Yes
Application	nagios	log_server	2024	Yes
Application	nagios	log_server	2024	Yes
Application	nagios	log_server	2024	Yes
Application	nagios	log_server	2024	Yes
Application	nagios	log_server	2024	Yes
Application	nagios	log_server	2024	Yes
Application	nagios	log_server	2024	Yes
Application	nagios	log_server	2024	Yes
Application	nagios	log_server	2024	Yes
Application	nagios	log_server	2024	Yes
Application	nagios	log_server	2024	Yes
Application	nagios	log_server	2024	Yes

References

https://support.nagios.com/kb/article/authenticating-and-importing-users-with-ad-and-ldap-995.html Not Applicable ([email protected])
https://www.nagios.com/changelog/#log-server Release Notes ([email protected])
https://www.nagios.com/products/security/#log-server-2024R2 Vendor Advisory ([email protected])
https://www.vulncheck.com/advisories/nagios-log-server-ad-ldap-import-password-not-obfuscated Third Party Advisory ([email protected])