CVE-2025-60425
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-27

Last updated on: 2025-11-05

Assigner: MITRE

Description
Nagios Fusion v2024R1.2 and v2024R2 does not invalidate already existing session tokens when the two-factor authentication mechanism is enabled, allowing attackers to perform a session hijacking attack.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-27
Last Modified
2025-11-05
Generated
2026-06-16
AI Q&A
2025-10-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-60425
EUVD
EUVD-2025-36198
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nagios fusion 2024
nagios fusion 2024
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-491 A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-60425 is a vulnerability in Nagios Fusion versions 2024R1.2 and 2024R2 where enabling two-factor authentication (2FA) does not invalidate existing session tokens. This means that sessions established before 2FA was enabled remain active and bypass the 2FA requirement. Attackers or unauthorized users with access to these legacy sessions can perform administrative actions or modify account details without undergoing the additional authentication step. The root cause is the failure to revoke or re-authenticate existing sessions when 2FA is activated, leading to insufficient session expiration and improper authentication. [1]

Impact Analysis

This vulnerability can allow attackers who have access to existing session tokens to hijack sessions and perform unauthorized administrative actions without needing to pass the 2FA check. This can lead to unauthorized data access, modification of account details, and potential data exfiltration. It also poses a risk in environments with shared or unmanaged devices where sessions remain active and bypass enhanced security controls, increasing the likelihood of compromise. [1]

Detection Guidance

This vulnerability can be detected by checking for active sessions that were established before the enabling of Two-Factor Authentication (2FA) and remain valid without requiring re-authentication. Specifically, monitoring session tokens or cookies that persist after 2FA activation is key. Commands or methods to detect this include inspecting session cookies or tokens in your web application logs or using network monitoring tools to identify session reuse without 2FA prompts. However, no specific commands are provided in the available resources. [1]

Mitigation Strategies

Immediate mitigation steps include revoking all existing sessions (both access and refresh tokens) across all devices when 2FA is enabled or reset, enforcing fresh primary authentication plus 2FA for all sessions, rotating session secrets such as signing keys or server-side session versions to invalidate stale tokens, and configuring reasonable maxAge and idleTimeout values to limit session longevity. Applying the vendor patch released in version 2024R2.1 dated July 23, 2025, is also recommended. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60425. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart