CVE-2025-34287

HIGH

Nagios XI < 2024 - Incorrect Permission Assignment

Title source: rule

Description

Nagios XI versions prior to 2024R2 contain an improperly owned script, process_perfdata.pl, which is executed periodically as the nagios user but owned by www-data. Because the file was writable by www-data, an attacker with web server privileges could modify its contents, leading to arbitrary code execution as the nagios user when the script is next run. This improper ownership and permission configuration enables local privilege escalation.

References (2)

[Release Notes] https://www.nagios.com/changelog/nagios-xi/

[Third Party Advisory] https://www.vulncheck.com/advisories/nagios-xi-privilege-escalation-via-improperly-owned-script

Scores

CVSS v3 7.8

EPSS 0.0001

EPSS Percentile 1.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-732

Status published

Products (2)

nagios/nagios_xi 2024 r1 (22 CPE variants)

nagios/nagios_xi < 2024

Published Oct 30, 2025

Tracked Since Feb 18, 2026