CVE-2025-34227
Published: 25 September 2025
Summary
CVE-2025-34227 is a high-severity OS Command Injection (CWE-78) vulnerability in Nagios Nagios Xi. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Nagios XI versions prior to 2026R1 contain an authenticated command injection vulnerability in the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query configuration wizards. The flaw, tracked as CWE-78, permits injection of shell metacharacters into user-supplied arguments passed to these services, resulting in execution of arbitrary operating system commands on the host as the nagios user. The issue carries a CVSS 4.0 score of 8.6 with network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.
An attacker with a valid administrative account on Nagios XI can reach the affected wizards over the network and supply crafted input that escapes the intended command context. Successful exploitation grants the ability to run any system command under the nagios account, potentially leading to full host compromise within the privileges of that user.
Public references, including the Nagios changelog and security pages, indicate that the issue is resolved in release 2026R1; administrators are expected to apply the update to eliminate the vulnerable wizards. The associated EPSS score remains flat at 0.0465 with no observed increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-31147
Vulnerability details
Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and…
more
execute arbitrary system commands on the underlying host as the `nagios` user.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authenticated command injection in the Nagios XI Configuration Wizard (MySQL/PostgreSQL wizards), allowing arbitrary shell commands to be executed as the nagios user via Unix shell interpreters when tainted arguments are passed to system commands.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates and sanitizes user inputs to the Nagios XI wizards to block injection of shell characters into service arguments.
Ensures timely identification, reporting, and patching of the command injection flaw in Nagios XI versions prior to 2026R1.
Enforces least privilege for the nagios user to restrict the scope and impact of arbitrary commands executed via the vulnerability.