CVE-2025-60424

Oct. 27, 2025, 4:15 p.m.

7.6
High

Description

A lack of rate limiting in the OTP verification component of Nagios Fusion v2024R1.2 and v2024R2 allows attackers to bypass authentication via a bruteforce attack.

Product(s) Impacted

Vendor Product Versions
Nagios
  • Nagios Fusion
  • 2024R1.2, 2024R2

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a nagios nagios_fusion 2024R1.2 / / / / / / /
a nagios nagios_fusion 2024R2 / / / / / / /

References

https://github.com/aakashtyal/2FA-Bypass-using-a-Brute-Force-Attack
https://github.com/aakashtyal/2FA-Bypass-using-a-Brute-Force-Attack-CVE-2025-60424
https://www.nagios.com/changelog/#fusion

Tags

cve@mitre.org
CWE-287
2025-10-27
CVE-2025-60424

CVSS Score

7.6 / 10

CVSS Data - 3.1

  • Attack Vector: ADJACENT_NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: LOW

    • CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

    View Vector String

Timeline

Published: Oct. 27, 2025, 4:15 p.m.
Last Modified: Oct. 27, 2025, 4:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@mitre.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.