CVE-2025-67900
📋 TL;DR
NXLog Agent versions before 6.11 can be forced to load an attacker-controlled OpenSSL configuration file via the OPENSSL_CONF environment variable. This allows attackers with local access to potentially execute arbitrary code or manipulate cryptographic operations. All systems running vulnerable NXLog Agent versions are affected.
💻 Affected Systems
- NXLog Agent
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with SYSTEM/root privileges, allowing complete system compromise and lateral movement.
Likely Case
Local privilege escalation or manipulation of TLS/SSL connections to intercept or modify log data.
If Mitigated
Limited impact if proper access controls prevent unauthorized users from setting environment variables.
🎯 Exploit Status
Exploitation requires ability to set environment variables and place malicious OpenSSL configuration file.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.11
Vendor Advisory: https://docs.nxlog.co/agent/current/release-notes.html#nxlog-agent-6-11
Restart Required: Yes
Instructions:
1. Download NXLog Agent 6.11 or later from official sources. 2. Stop NXLog service. 3. Install the updated version. 4. Restart NXLog service.
🔧 Temporary Workarounds
Restrict environment variable modification
allPrevent unauthorized users from setting OPENSSL_CONF environment variable
# Linux: chmod 750 /usr/bin/nxlog
# Windows: Restrict write permissions to NXLog installation directory
Set secure OpenSSL configuration
allConfigure OpenSSL to ignore OPENSSL_CONF environment variable
export OPENSSL_CONF=/dev/null
set OPENSSL_CONF=nul
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized users from modifying NXLog environment
- Monitor for suspicious OpenSSL configuration file creation or environment variable manipulation
🔍 How to Verify
Check if Vulnerable:
Check NXLog version: nxlog --version or examine installed version in control panelCheck Version:
nxlog --versionVerify Fix Applied:
Confirm version is 6.11 or later and test that OPENSSL_CONF environment variable no longer affects NXLog📡 Detection & Monitoring
Log Indicators:
- Unauthorized attempts to set OPENSSL_CONF
- Suspicious OpenSSL configuration file loading
- NXLog process spawning unexpected child processes
Network Indicators:
- Unusual TLS/SSL handshake failures from NXLog
- Suspicious network connections from NXLog process
SIEM Query:
process_name:nxlog AND (env_var:OPENSSL_CONF OR file_create:*openssl*.cnf)