Introduction
Attackers can automate OTP brute-force attempts against Nagios Fusion's two-factor authentication, potentially gaining unauthorized access to critical monitoring infrastructure. This flaw affects production deployments of Nagios Fusion v2024R1.2 and v2024R2, which are widely used for centralized monitoring and management across enterprise environments.
Nagios Enterprises is a prominent vendor in the infrastructure monitoring space, with products like Nagios Core, Nagios XI, and Nagios Fusion. Their solutions are used by thousands of organizations globally to monitor IT infrastructure, making vulnerabilities in these products particularly impactful for operational security and visibility.
Technical Information
CVE-2025-60424 is caused by a missing rate limiting control on the OTP verification endpoint in Nagios Fusion. After a user authenticates with a valid username and password, the application prompts for a one-time password (OTP) as a second authentication factor. The vulnerable versions do not restrict the number of OTP attempts per user, session, or IP address. There is also no progressive account lockout after repeated failures.
An attacker with valid credentials can automate OTP submissions using tools like cURL or Python scripts. Since OTPs are typically 6-digit numbers, the attacker can attempt up to 1,000,000 combinations. Without rate limiting, all combinations can be tested in a short period if server and network resources allow. Successful brute-forcing of the OTP grants access to the authenticated session and the Nagios Fusion administrative interface.
The root cause is the absence of both rate limiting and account lockout mechanisms on the 2FA endpoint. This is classified under:
- CWE-287: Improper Authentication
- CWE-307: Improper Restriction of Excessive Authentication Attempts
Affected Systems and Versions
- Nagios Fusion v2024R1.2
- Nagios Fusion v2024R2
- Only these versions are confirmed vulnerable. The issue is resolved in version 2024R2.1.
- All configurations using the built-in OTP-based two-factor authentication are affected.
Vendor Security History
Nagios Enterprises has a track record of authentication and access control vulnerabilities across its product line. Previous issues include remote code execution, privilege escalation, and API key exposure in products like Nagios XI and Nagios Log Server. Patch response times are generally within industry norms, but the recurrence of similar flaws indicates a need for improved secure development practices and architectural review.
