What security vulnerabilities were patched in Nagios XI?

Nagios patched multiple critical security flaws in its enterprise monitoring platform Nagios XI with version 2026R1 released on September 24, 2025. The vulnerabilities include three critical remote code execution and command injection flaws (CVE-2025-34286, CVE-2025-34284, and CVE-2025-34134) with CVSS scores of 9.4, as well as additional command injection and privilege escalation vulnerabilities.

What is CVE-2025-34286?

CVE-2025-34286 is a remote code execution vulnerability with a CVSS score of 9.4 in the Core Config Manager (CCM) Run Check Command affecting Nagios XI versions prior to 2026R1. Insufficient validation and escaping of parameters used to build backend command lines allows an authenticated administrator to inject shell metacharacters that are executed on the server.

What is CVE-2025-34284?

CVE-2025-34284 is a command injection vulnerability with a CVSS score of 9.4 in the WinRM plugin affecting Nagios XI versions prior to 2024R2. Insufficient validation of user-supplied parameters allows an authenticated administrator to inject shell metacharacters that are incorporated into backend command invocations, enabling arbitrary command execution with the privileges of the Nagios XI web application user.

What is CVE-2025-34134?

CVE-2025-34134 is a remote code execution vulnerability with a CVSS score of 9.4 in the Business Process Intelligence (BPI) component affecting Nagios XI versions prior to 2024R1.4.2. Insufficient validation and sanitization of administrator-controlled BPI configuration parameters allow an authenticated administrative user to create or overwrite files within the webroot and subsequently edit them via the BPI configuration editor.

Which Nagios XI versions are affected by these vulnerabilities?

All Nagios XI versions prior to 2026R1 are affected by various combinations of these vulnerabilities. Specifically, CVE-2025-34286 and CVE-2025-34227 affect versions before 2026R1, CVE-2025-34284 and CVE-2025-34287 affect versions before 2024R2, and CVE-2025-34134 affects versions before 2024R1.4.2.

What other vulnerabilities were patched in Nagios XI?

Additional vulnerabilities include CVE-2025-34227 (CVSS score 8.6), an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards, and CVE-2025-34287 (CVSS score 8.4), a privilege escalation vulnerability via improperly owned script affecting versions prior to 2024R2.

What should Nagios XI users do about these vulnerabilities?

Nagios strongly recommends that all users upgrade immediately to version 2026R1 or later to fully address these vulnerabilities. Organizations that cannot upgrade should restrict administrative access to the Nagios XI interface only to trusted internal networks as a mitigation measure.

Do these Nagios XI vulnerabilities require authentication?

Yes, all of the critical vulnerabilities require authenticated access. The command injection and remote code execution flaws require an authenticated administrator account to exploit, meaning attackers would need valid administrative credentials to leverage these vulnerabilities.

Advisory

Critical security vulnerabilities patched in Nagios XI 2026R1

Q: When was the Nagios XI security patch released?

Nagios released version 2026R1 with security patches on September 24, 2025. While the update has been available for over a month, detailed information about these security flaws was released this week.

published: Nov. 3, 2025

Take action: This is not an urgent fix, but an important one. There are clear prerequisites to exploit that are not trivial But still, if you use Nagios XI monitoring platform, plan an update to version 2026R1 and isolate it from the internet. Any credential will eventually be hacked.

Learn More

Nagios has patched multiple critical security flaws in its enterprise monitoring platform Nagios XI, with version 2026R1 released on September 24, 2025. While the update has been available for over a month, detailed information about these security flaws was released this week.

Critical vulnerabilities:

CVE-2025-34286 (CVSS score 9.4): Remote code execution vulnerability in the Core Config Manager (CCM) Run Check Command affecting Nagios XI versions prior to 2026R1. Insufficient validation and escaping of parameters used to build backend command lines allows an authenticated administrator to inject shell metacharacters that are executed on the server.
CVE-2025-34284 (CVSS score 9.4): Command injection vulnerability in the WinRM plugin affecting Nagios XI versions prior to 2024R2. Insufficient validation of user-supplied parameters allows an authenticated administrator to inject shell metacharacters that are incorporated into backend command invocations, enabling arbitrary command execution with the privileges of the Nagios XI web application user.
CVE-2025-34134 (CVSS score 9.4): Remote code execution vulnerability in the Business Process Intelligence (BPI) component affecting Nagios XI versions prior to 2024R1.4.2. Insufficient validation and sanitization of administrator-controlled BPI configuration parameters allow an authenticated administrative user to create or overwrite files within the webroot and subsequently edit them via the BPI configuration editor.

Other vulnerabilities:

CVE-2025-34227 (CVSS score 8.6): Authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards affecting Nagios XI versions prior to 2026R1. It is possible to inject shell characters into arguments provided to the service and execute arbitrary system commands on the underlying host as the nagios user.
CVE-2025-34287 (CVSS score 8.4): Privilege escalation vulnerability via improperly owned script (process_perfdata.pl) affecting Nagios XI versions prior to 2024R2. The script is executed periodically as the nagios user but owned by www-data, allowing an attacker with web server privileges to modify its contents and achieve arbitrary code execution as the nagios user.

Nagios strongly recommends that all users upgrade immediately to version 2026R1 or later to fully address these vulnerabilities. Organizations that can't upgrade should restricting administrative access to the Nagios XI interface only to trusted internal networks.

Critical security vulnerabilities patched in Nagios XI 2026R1

Read More
Cisco warns of actively exploited vulnerabilities in ASA …
SAP releases December 2024 patches for 16 flaws, …
Critical flaws in Trend Micro Apex One Management …
Critical flaw reported in OpenBMC is an open-source …
Fortinet Issues Emergency Hotfix for Actively Exploited FortiClient …