CVE-2025-39665
📋 TL;DR
CVE-2025-39665 is an information disclosure vulnerability in Nagvis' Checkmk MultisiteAuth plugin that allows unauthenticated attackers to enumerate valid Checkmk usernames. This affects organizations using Nagvis with Checkmk MultisiteAuth before version 1.9.48. The vulnerability enables reconnaissance that could facilitate credential attacks.
💻 Affected Systems
- Nagvis with Checkmk MultisiteAuth plugin
📦 What is this software?
Nagvis by Nagvis
⚠️ Risk & Real-World Impact
Worst Case
Attackers build complete username lists, enabling targeted brute-force attacks that could lead to account compromise and lateral movement within the monitoring infrastructure.
Likely Case
Attackers enumerate some valid usernames, increasing success rates for subsequent credential stuffing or phishing attacks against those users.
If Mitigated
With strong password policies, MFA, and rate limiting, the impact is limited to reconnaissance without direct access.
🎯 Exploit Status
The vulnerability involves sending crafted requests to the authentication endpoint and observing differences in responses between valid and invalid usernames.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.48
Vendor Advisory: https://www.nagvis.org/downloads/changelog/1.9.48
Restart Required: Yes
Instructions:
1. Backup current Nagvis configuration
2. Download Nagvis 1.9.48 or newer from nagvis.org
3. Follow Nagvis upgrade documentation for your platform
4. Verify the Checkmk MultisiteAuth plugin is updated
5. Restart Nagvis service
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict access to Nagvis authentication endpoints to trusted IP ranges only
# Use firewall rules to restrict access to Nagvis port (typically 80/443)
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
Web Server Rate Limiting
allImplement rate limiting on authentication endpoints to prevent enumeration
# Apache example with mod_ratelimit
SetEnvIf Request_URI "^/nagvis/.*auth.*" RATELIMIT
BrowserMatch RATELIMIT ratelimit=10
# Nginx example
limit_req_zone $binary_remote_addr zone=auth:10m rate=10r/m;
location ~ /nagvis/.*auth.* { limit_req zone=auth burst=5; }
🧯 If You Can't Patch
- Implement network segmentation to isolate Nagvis from untrusted networks
- Enable detailed logging and monitoring for authentication attempts with alerting on suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check if Nagvis responds differently to valid vs invalid usernames at authentication endpoints. Test with curl: curl -X POST http://nagvis-server/nagvis/frontend/nagvis-js/index.php?mod=Auth&act=doLogon -d 'username=testuser' and observe response differences.Check Version:
Check Nagvis version in web interface footer or config file: grep '\$version' /usr/local/nagvis/share/nagvis/includes/defines/global.inc.phpVerify Fix Applied:
After patching, repeat the test and verify that responses are identical for valid and invalid usernames (no information disclosure).📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts with different usernames from same source
- Unusual pattern of authentication requests to Nagvis endpoints
- Requests to authentication endpoints from unexpected IP ranges
Network Indicators:
- High volume of POST requests to /nagvis/.../auth endpoints
- Requests with sequential or dictionary-based usernames
SIEM Query:
source="nagvis_access.log" AND (uri_path="/nagvis/frontend/nagvis-js/index.php" AND uri_query="mod=Auth") | stats count by src_ip, username | where count > 10