CVE-2025-60425
BaseFortify
Publication date: 2025-10-27
Last updated on: 2025-11-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nagios | fusion | 2024 |
| nagios | fusion | 2024 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-491 | A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-60425 is a vulnerability in Nagios Fusion versions 2024R1.2 and 2024R2 where enabling two-factor authentication (2FA) does not invalidate existing session tokens. This means that sessions established before 2FA was enabled remain active and bypass the 2FA requirement. Attackers or unauthorized users with access to these legacy sessions can perform administrative actions or modify account details without undergoing the additional authentication step. The root cause is the failure to revoke or re-authenticate existing sessions when 2FA is activated, leading to insufficient session expiration and improper authentication. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers who have access to existing session tokens to hijack sessions and perform unauthorized administrative actions without needing to pass the 2FA check. This can lead to unauthorized data access, modification of account details, and potential data exfiltration. It also poses a risk in environments with shared or unmanaged devices where sessions remain active and bypass enhanced security controls, increasing the likelihood of compromise. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for active sessions that were established before the enabling of Two-Factor Authentication (2FA) and remain valid without requiring re-authentication. Specifically, monitoring session tokens or cookies that persist after 2FA activation is key. Commands or methods to detect this include inspecting session cookies or tokens in your web application logs or using network monitoring tools to identify session reuse without 2FA prompts. However, no specific commands are provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include revoking all existing sessions (both access and refresh tokens) across all devices when 2FA is enabled or reset, enforcing fresh primary authentication plus 2FA for all sessions, rotating session secrets such as signing keys or server-side session versions to invalidate stale tokens, and configuring reasonable maxAge and idleTimeout values to limit session longevity. Applying the vendor patch released in version 2024R2.1 dated July 23, 2025, is also recommended. [1]