CVE-2025-44824 PUBLISHED

Assigner: mitre
Reserved: 22.04.2025 Published: 07.10.2025 Updated: 07.10.2025

Nagios Log Server before 2024R1.3.2 allows authenticated users (with read-only API access) to stop the Elasticsearch service via a /nagioslogserver/index.php/api/system/stop?subsystem=elasticsearch call. The service stops even though "message": "Could not stop elasticsearch" is in the API response. This is GL:NLS#474.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
CVSS Score: 8.5

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Nagios
Product	Log Server
Versions	Default: unaffected affected from 0 to 2024R1.3.2 (excl.)

References

https://www.nagios.com/changelog/#log-server
https://github.com/skraft9/nagios-log-server-dos

Problem Types

CWE-863 Incorrect Authorization CWE