CVE-2025-28132
low-risk
Published 2025-04-01
A session management flaw in Nagios Network Analyzer 2024R1.0.3 allows an attacker to reuse session tokens even after a user logs out, leading to unauthorized access and account takeover. This occurs due to insufficient session expiration, where session tokens remain valid beyond logout, allowing an attacker to impersonate users and perform actions on their behalf.
Do I need to act?
-
0.15% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.6/10
Medium
ADJACENT_NETWORK
/ LOW complexity
Affected Products (1)
Nagios Network Analyzer
Affected Vendors
References (2)
Third Party Advisory
https://github.com/harshal79/Insufficient-Session-Expiration.git
Release Notes
https://www.nagios.com/changelog/#network-analyzer
22
/ 100
low-risk
Severity
16/34 · Moderate
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal