Local Privilege Escalation in Nagios XI due to Improper Script Ownership
CVE-2025-34287

8.4HIGH

Key Information:

Vendor: NagiOS
Status: Xi
Vendor: CVE Published:; 30 October 2025

What is CVE-2025-34287?

Nagios XI prior to version 2024R2 is susceptible to a local privilege escalation vulnerability due to an improperly owned script, process_perfdata.pl. This script is executed by the nagios user, yet it is owned by the www-data user, which grants web server privileges. An attacker with access to the web server could modify this script, allowing them to execute arbitrary code with the privileges of the nagios user when the script runs. This vulnerability highlights critical issues associated with file ownership and permissions in web-facing applications.

Affected Version(s)

XI 0 < 2024R2

References

https://www.nagios.com/changelog/nagios-xi/

release-notespatch

https://www.vulncheck.com/advisories/nagios-xi-privilege-...

third-party-advisory

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 30, 2025
Vulnerability Reserved
Apr 15, 2025

Credit

M. Cory Billington of theyhack.me

JSON