CVE-2025-28132
Last modified
CVE-2025-28132 is a medium-severity vulnerability rated 4.6/10 on the CVSS scale. A session management flaw in Nagios Network Analyzer 2024R1.0.3 allows an attacker to reuse session tokens even after a user logs out, leading to unauthorized access and account takeover. This occurs due to insufficient session expiration, where session tokens remain valid beyond logout, allowing an attacker to impersonate users and perform actions on their behalf.. EPSS estimates a 0.34% chance of exploitation in the next 30 days.
Description
A session management flaw in Nagios Network Analyzer 2024R1.0.3 allows an attacker to reuse session tokens even after a user logs out, leading to unauthorized access and account takeover. This occurs due to insufficient session expiration, where session tokens remain valid beyond logout, allowing an attacker to impersonate users and perform actions on their behalf.
Metrics
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Nagios | Nagios Network Analyzer | 2024 | R1.0.3* |
References
- https://github.com/harshal79/Insufficient-Session-Expiration.gitThird Party Advisory
- https://www.nagios.com/changelog/#network-analyzerRelease Notes
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-28132?
How severe is CVE-2025-28132?
How do I fix CVE-2025-28132?
Are you affected by CVE-2025-28132?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST