CVE-2025-34284
HIGHNagios XI < 2024R2 - Authenticated OS Command Injection via WinRM Plugin
Title source: llmDescription
Nagios XI versions prior to 2024R2 contain a command injection vulnerability in the WinRM plugin. Insufficient validation of user-supplied parameters allows an authenticated administrator to inject shell metacharacters that are incorporated into backend command invocations. Successful exploitation enables arbitrary command execution with the privileges of the Nagios XI web application user and can be leveraged to modify configuration, exfiltrate data, disrupt monitoring operations, or execute commands on the underlying host operating system.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
patch
https://www.nagios.com/products/security/#nagios-xi
Release Notes release-notes
patch
https://www.nagios.com/changelog/nagios-xi/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/nagios-xi-authenticated-command-injection-via-winrm-plugin
Scores
CVSS v3
8.8
EPSS
0.0046
EPSS Percentile
64.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (2)
nagios/nagios_xi
2024 r1 (22 CPE variants)
nagios/nagios_xi
< 2024
Published
Oct 30, 2025
Tracked Since
Feb 18, 2026