CVE-2025-60425 identifies a security vulnerability in Nagios Fusion versions v2024R1.2 and v2024R2 related to improper session token management when two-factor authentication (2FA) is enabled. Normally, enabling 2FA should invalidate any existing session tokens to ensure that only sessions authenticated with the second factor remain valid. However, in these affected versions, the system fails to invalidate already active session tokens upon 2FA activation. This flaw allows an attacker who has obtained or intercepted a valid session token prior to 2FA enforcement to continue using that token to access the system without needing to pass the 2FA challenge. This effectively bypasses the additional security layer provided by 2FA, enabling session hijacking attacks. The vulnerability compromises the integrity and confidentiality of user sessions, potentially allowing unauthorized access to sensitive monitoring data and administrative controls within Nagios Fusion. There are no known public exploits or patches currently available, and no CVSS score has been assigned. The vulnerability highlights a critical weakness in session management and authentication enforcement in Nagios Fusion, a widely used IT infrastructure monitoring platform.

For European organizations, this vulnerability poses a significant risk to the security of their IT infrastructure monitoring environments. Nagios Fusion is often used to monitor critical systems, networks, and services; unauthorized access could lead to manipulation or disruption of monitoring data, delayed incident detection, or exposure of sensitive operational information. Attackers exploiting this flaw could maintain persistent access without triggering 2FA alerts, increasing the risk of stealthy intrusions. This could impact confidentiality by exposing sensitive monitoring data, integrity by allowing tampering with monitoring configurations or alerts, and availability if attackers disrupt monitoring services. Organizations in sectors such as finance, energy, telecommunications, and government, which rely heavily on Nagios Fusion for operational oversight, could face increased risk of targeted attacks and compliance violations under European data protection regulations.

Immediate mitigation should focus on invalidating all existing session tokens when enabling or enforcing two-factor authentication within Nagios Fusion. Organizations should manually terminate active sessions and require re-authentication with 2FA enabled. Monitoring and logging of session activity should be enhanced to detect anomalous session reuse or hijacking attempts. Until an official patch is released, consider restricting access to Nagios Fusion interfaces to trusted networks or VPNs and enforce strict IP whitelisting. Implement network segmentation to limit exposure of the monitoring platform. Regularly audit user sessions and credentials, and educate administrators about the risks of session hijacking. Once patches become available, apply them promptly. Additionally, consider deploying web application firewalls (WAFs) or session management tools that can detect and block suspicious session behaviors.