CVE-2025-60424
BaseFortify
Publication date: 2025-10-27
Last updated on: 2025-11-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nagios | fusion | 2024 |
| nagios | fusion | 2024 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Two-Factor Authentication (2FA) verification component of Nagios Fusion versions 2024R1.2 and 2024R2. It is caused by a lack of rate limiting and account lockout controls on the OTP (One-Time Password) verification endpoint, allowing attackers to perform unlimited brute-force attempts to guess OTPs. As a result, attackers can bypass 2FA protections and gain unauthorized access to sensitive accounts, including administrator accounts. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to bypass the 2FA security mechanism by brute-forcing OTPs without restriction. This can lead to unauthorized access to sensitive accounts, including administrator accounts, potentially resulting in mass account takeovers or targeted attacks on high-value accounts. The impact includes compromise of confidentiality, integrity, and limited availability of affected systems. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the OTP verification endpoint (e.g., /verify-otp) for an unusually high number of OTP submission attempts without rate limiting or account lockouts. Detection can involve analyzing logs for repeated failed OTP attempts from the same account or IP address. Specific commands are not provided in the resources, but network or application log inspection focusing on the 2FA verification requests and their frequency would be key. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include enforcing strict rate limiting on OTP attempts per account, IP, or device; implementing account lockouts after a defined number of failed OTP submissions requiring re-authentication; and introducing back-off delays such as exponential delays on repeated failures. Additionally, updating Nagios Fusion to version 2024R2.1 or later, where the vulnerability is patched, is strongly recommended. [1]