Cyber Resilience

CVE-2025-34227

HighPublic PoCRCE

Published: 25 September 2025

Published
25 September 2025
Modified
14 October 2025
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0634 91.2th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34227 is a high-severity OS Command Injection (CWE-78) vulnerability in Nagios Nagios Xi. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Nagios XI versions prior to 2026R1 contain an authenticated command injection vulnerability in the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query configuration wizards. The flaw, tracked as CWE-78, permits injection of shell metacharacters into user-supplied arguments passed to these services, resulting in execution of arbitrary operating system commands on the host as the nagios user. The issue carries a CVSS 4.0 score of 8.6 with network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

An attacker with a valid administrative account on Nagios XI can reach the affected wizards over the network and supply crafted input that escapes the intended command context. Successful exploitation grants the ability to run any system command under the nagios account, potentially leading to full host compromise within the privileges of that user.

Public references, including the Nagios changelog and security pages, indicate that the issue is resolved in release 2026R1; administrators are expected to apply the update to eliminate the vulnerable wizards. The associated EPSS score remains flat at 0.0465 with no observed increase after disclosure.

EU & UK References

Vulnerability details

Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and…

more

execute arbitrary system commands on the underlying host as the `nagios` user.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The vulnerability is an authenticated command injection in the Nagios XI Configuration Wizard (MySQL/PostgreSQL wizards), allowing arbitrary shell commands to be executed as the nagios user via Unix shell interpreters when tainted arguments are passed to system commands.

CVEs Like This One

CVE-2026-2041Same product: Nagios Nagios Xi
CVE-2024-14005Same product: Nagios Nagios Xi
CVE-2025-34284Same product: Nagios Nagios Xi
CVE-2024-14003Same product: Nagios Nagios Xi
CVE-2026-2043Same product: Nagios Nagios Xi
CVE-2026-2042Same product: Nagios Nagios Xi
CVE-2020-36867Same product: Nagios Nagios Xi
CVE-2020-36856Same product: Nagios Nagios Xi
CVE-2013-10073Same product: Nagios Nagios Xi
CVE-2018-25122Same product: Nagios Nagios Xi

Affected Assets

nagios
nagios xi
≤ 2026

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates and sanitizes user inputs to the Nagios XI wizards to block injection of shell characters into service arguments.

prevent

Ensures timely identification, reporting, and patching of the command injection flaw in Nagios XI versions prior to 2026R1.

prevent

Enforces least privilege for the nagios user to restrict the scope and impact of arbitrary commands executed via the vulnerability.

References