CVE-2025-34288

Nagios XI versions prior to 2026R1.1 are vulnerable to local privilege escalation due to an unsafe interaction between sudo permissions and application file permissions. A user‑accessible maintenance script may be executed as root via sudo and includes an application file that is writable by a lower‑privileged user. A local attacker with access to the application account can modify this file to introduce malicious code, which is then executed with elevated privileges when the script is run. Successful exploitation results in arbitrary code execution as the root user.

CVSS v3 6.7 MEDIUM

6.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.nagios.com/changelog/nagios-xi/2026r1-1/	Release Notes
https://www.vulncheck.com/advisories/nagios-xi-privilege-escalation-via-writable-php-include-executed-with-sudo	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nagios:nagios_xi::::::::
	cpe:2.3:a:nagios:nagios_xi:2026:r1::::::
	cpe:2.3:a:nagios:nagios_xi:2026:r1.0.1::::::

History

24 Dec 2025, 17:57

Type	Values Removed	Values Added
CPE		cpe:2.3:a:nagios:nagios_xi:::::::: cpe:2.3:a:nagios:nagios_xi:2026:r1:::::: cpe:2.3:a:nagios:nagios_xi:2026:r1.0.1::::::
References	~~() https://www.nagios.com/changelog/nagios-xi/2026r1-1/ -~~	() https://www.nagios.com/changelog/nagios-xi/2026r1-1/ - Release Notes
References	~~() https://www.vulncheck.com/advisories/nagios-xi-privilege-escalation-via-writable-php-include-executed-with-sudo -~~	() https://www.vulncheck.com/advisories/nagios-xi-privilege-escalation-via-writable-php-include-executed-with-sudo - Third Party Advisory
First Time		Nagios nagios Xi Nagios
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.7

16 Dec 2025, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-16 23:15

Updated : 2025-12-24 17:57

NVD link : CVE-2025-34288

Mitre link : CVE-2025-34288

CVE.ORG link : CVE-2025-34288

JSON object : View

Products Affected

nagios

nagios_xi

CWE

CWE-732

Incorrect Permission Assignment for Critical Resource

{"id": "CVE-2025-34288", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.8}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-12-16T23:15:44.720", "references": [{"url": "https://www.nagios.com/changelog/nagios-xi/2026r1-1/", "tags": ["Release Notes"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/nagios-xi-privilege-escalation-via-writable-php-include-executed-with-sudo", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-732"}]}], "descriptions": [{"lang": "en", "value": "Nagios XI versions prior to 2026R1.1 are\u00a0vulnerable to local privilege escalation due to an unsafe interaction between sudo permissions and application file permissions. A user\u2011accessible maintenance script may be executed as root via sudo and includes an application file that is writable by a lower\u2011privileged user. A local attacker with access to the application account can modify this file to introduce malicious code, which is then executed with elevated privileges when the script is run. Successful exploitation results in arbitrary code execution as the root user."}], "lastModified": "2025-12-24T17:57:41.600", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1F24B62F-2AE4-4907-B786-6C37F5E967C1", "versionEndIncluding": "2024"}, {"criteria": "cpe:2.3:a:nagios:nagios_xi:2026:r1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DBAC321F-6345-4077-A82D-8CC02C21C358"}, {"criteria": "cpe:2.3:a:nagios:nagios_xi:2026:r1.0.1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2C36F783-6CD4-4417-B696-DC59388478AF"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}