This flaw, classified as an information disclosure vulnerability (CWE-200), exposes organizational user directories to potential misuse in phishing campaigns or credential-stuffing attacks.
The vulnerability resides in improper access controls for multiple administrative endpoints. Unauthenticated requests to pages such as /nagiosxi/admin/userpreferences.php and /nagiosxi/includes/ajax/notification-handlers.inc.php return JSON payloads containing user metadata.
Attackers can exploit this by crafting simple HTTP GET requests:
The server responds with structured data like:
This bypasses Nagios XI’s session validation mechanisms, which erroneously treat these endpoints as public resources.
As of February 2025, no active exploits have been observed, but the simplicity of this attack vector necessitates urgent remediation.
Compromised email addresses and usernames provide attackers with reconnaissance data to:
The vulnerability is particularly critical in multi-tenant deployments, where user lists may include external clients or third-party integrators
Nagios Enterprises has addressed this flaw in subsequent releases. Administrators must:
This incident follows a pattern of access control failures in Nagios XI, including past vulnerabilities like CVE-2021-25296 (RCE via WMI wizard) and CVE-2018-15708 (privilege escalation).
The recurrence highlights the importance of rigorous endpoint testing in monitoring platforms that manage critical infrastructure credentials.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here
The post Nagios XI Vulnerability Allows Unauthenticated Users to View Other User Details & Email appeared first on Cyber Security News.
INDIANAPOLIS, IND. (WOWO) Indiana Attorney General Todd Rokita said Thursday that he withdrew his support…
Anthony Ashton, an attorney representing the NAACP Tennessee State Conference and other plaintiffs in a…
Former Gov. Bill Haslam and sportscaster Jim Nantz, a Nashville resident, touted the 2030 Super…
Missouri Governor Mike Kehoe, left, talks with U.S. Vice President JD Vance after he arrived…
OnePieceLabs.xyz – Squarespace customer – (United States) Organizations building at the frontier of decentralized technology…
May 21, 2026 Inside the century-old Smithfield Foods plant in downtown Sioux Falls, employees say…
This website uses cookies.