Remote Code Execution Vulnerability in Nagios XI by Nagios Enterprises
CVE-2025-34134

9.4CRITICAL

Key Information:

Vendor

NagiOS

Status
Xi
Vendor
CVE Published:
30 October 2025

What is CVE-2025-34134?

Nagios XI versions prior to 2024R1.4.2 are susceptible to a vulnerability in the Business Process Intelligence (BPI) component that allows an authenticated administrative user to exploit insufficient validation and sanitization of configuration parameters. This weakness enables the creation or overwriting of files within the webroot, which, when executed, can result in arbitrary command execution with the privileges of the Nagios XI web application user. If attackers leverage this vulnerability, they can further compromise the underlying host operating system.

Affected Version(s)

XI 0

References

https://www.nagios.com/products/security/#nagios-xi
vendor-advisorypatch
https://www.nagios.com/changelog/nagios-xi/
release-notespatch
https://www.vulncheck.com/advisories/nagios-xi-rce-via-bu...
third-party-advisory

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

M. Cory Billington of theyhack.me
JSON
.
CVE-2025-34134 : Remote Code Execution Vulnerability in Nagios XI by Nagios Enterprises