Cyber Resilience

CVE-2025-34286

CriticalPublic PoCRCE

Published: 30 October 2025

Published
30 October 2025
Modified
06 November 2025
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0135 80.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34286 is a critical-severity OS Command Injection (CWE-78) vulnerability in Nagios Nagios Xi. Its CVSS base score is 9.4 (Critical).

Operationally, ranked in the top 19.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Nagios XI versions prior to 2026R1 are affected by a remote code execution vulnerability in the Core Config Manager (CCM) Run Check command. The flaw stems from insufficient validation and escaping of parameters used to construct backend command lines, corresponding to CWE-78, and carries a CVSS 4.0 score of 9.4 reflecting high impact across confidentiality, integrity, and availability both locally and in scope.

An authenticated administrator can exploit the issue by injecting shell metacharacters into the Run Check parameters. Successful exploitation yields arbitrary command execution under the privileges of the Nagios XI web application user, which can be escalated to full control of the underlying host operating system.

Advisories from Nagios and VulnCheck indicate that the issue is resolved in Nagios XI 2026R1; organizations should apply the update from the vendor changelog and security pages. The associated EPSS score remains low and unchanged at 0.0135 with no observed rise after disclosure.

EU & UK References

Vulnerability details

Nagios XI versions prior to 2026R1 contain a remote code execution vulnerability in the Core Config Manager (CCM) Run Check command. Insufficient validation/escaping of parameters used to build backend command lines allows an authenticated administrator to inject shell metacharacters that…

more

are executed on the server. Successful exploitation results in arbitrary command execution with the privileges of the Nagios XI web application user and can be leveraged to gain control of the underlying host operating system.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

nagios
nagios xi
≤ 2026

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References