Nagios Log Server < 2024R2.0.2 AD/LDAP Import Password Not Obfuscated

Advisories

severity: medium
date: 10/30/2025
Affecting: Log Server < 2024R2.0.2
CVE: CVE-2025-34270
CWE: CWE-312 Cleartext Storage of Sensitive Information
CWE-522 Insufficiently Protected Credentials
CVSS: 6.9
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References: Nagios Log Server Disclosures
Nagios Log Server Changelog
Nagios Log Server Documentation
Description: Nagios Log Server versions prior to 2024R2.0.2 contain a vulnerability in the AD/LDAP user import functionality as it fails to obfuscate the password field during import. As a result, the plaintext password supplied for imported accounts may be exposed in the user interface, logs, or other diagnostic output. This can leak sensitive credentials to administrators or anyone with access to import results.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo