Nagios Fusion < 2024R2.1 2FA Brute Force Bypass_CVE-2025-34249

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Nagios Fusion versions prior to 2024R2.1 contain a brute-force bypass in the Two-Factor Authentication (2FA) implementation. The application did not properly enforce rate limiting or account lockout for repeated failed 2FA verification attempts, allowing a remote attacker to repeatedly try second-factor codes for a targeted account. By abusing the lack of enforcement, an attacker could eventually successfully authenticate to accounts protected by 2FA.

AI Analysis

2FA brute force bypass vulnerability in Nagios Fusion prior to 2024R2.1

Basic Information

ID CVE-2025-34249

Source VulnCheck

Published Oct 30, 2025 at 21:19

Affected Product

Vendor Nagios

Product Fusion

CWE Classification

CWE-307

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor Nagios

Product Nagios Fusion

Version < 2024R2.1

References

{
    "lastseen": "",
    "description": "Nagios Fusion versions prior to 2024R2.1 contain a brute-force bypass in the Two-Factor Authentication (2FA) implementation. The application did not properly enforce rate limiting or account lockout for repeated failed 2FA verification attempts, allowing a remote attacker to repeatedly try second-factor codes for a targeted account. By abusing the lack of enforcement, an attacker could eventually successfully authenticate to accounts protected by 2FA.",
    "published": "2025-10-30T21:19:05.690Z",
    "modified": "2025-10-30T21:19:05.690Z",
    "type": "cve",
    "title": "Nagios Fusion < 2024R2.1 2FA Brute Force Bypass",
    "source": "VulnCheck",
    "references": "https://www.nagios.com/products/security/#nagios-xi\nhttps://www.nagios.com/changelog/nagios-fusion/\nhttps://www.vulncheck.com/advisories/nagios-fusion-2fa-brute-force-bypass",
    "id": "CVE-2025-34249",
    "bulletinFamily": "",
    "cwe": [
        "CWE-307"
    ],
    "cvelist": null,
    "sourceData": "",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Fusion",
    "version": "0",
    "vendor": "Nagios",
    "ai_description": "2FA brute force bypass vulnerability in Nagios Fusion prior to 2024R2.1",
    "ai_severity": "Critical",
    "ai_vendor": "Nagios",
    "ai_product": "Nagios Fusion",
    "ai_version": "< 2024R2.1",
    "ai_score": 9.3
}