CVE-2025-34227

HIGH

Nagios XI < 2026 - OS Command Injection

Title source: rule

Description

Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and execute arbitrary system commands on the underlying host as the `nagios` user.

Exploits (1)

nomisec WORKING POC

by mcorybillington · poc

https://github.com/mcorybillington/CVE-2025-34227_Nagios-XI-Command-Injection-Configuration-Wizard

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory] https://theyhack.me/CVE-2025-34227-Nagios-XI-Wizard-Command-Injection/

[Release Notes] https://www.nagios.com/changelog/

[Vendor Advisory] https://www.nagios.com/products/security/

[Third Party Advisory] https://www.vulncheck.com/advisories/nagios-xi-config-wizard-auth-command-injection

Scores

CVSS v3 8.8

EPSS 0.0251

EPSS Percentile 85.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

nagios/nagios_xi < 2026

Published Sep 25, 2025

Tracked Since Feb 18, 2026