CVE-2025-34227 HIGH

CVE-2025-34227: Nagios XI < 2026R1 Configuration Wizard Authenticated Command Injection

Vendor Nagios

Product Nagios XI

Weakness CWE-78

Published September 25, 2025

Last update May 15, 2026

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and execute arbitrary system commands on the underlying host as the `nagios` user.

Key dates

02Disclosure timeline

September 25, 2025 CVE published

May 15, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-34227

Related vulnerabilities

CVE-2025-34227: Nagios XI < 2026R1 Configuration Wizard Authenticated Command Injection

01Description

02Disclosure timeline

03References

04Related CVE