Vulnerability Description
Nagios XI versions prior to 2026R1 contain a remote code execution vulnerability in the Core Config Manager (CCM) Run Check command. Insufficient validation/escaping of parameters used to build backend command lines allows an authenticated administrator to inject shell metacharacters that are executed on the server. Successful exploitation results in arbitrary command execution with the privileges of the Nagios XI web application user and can be leveraged to gain control of the underlying host operating system.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nagios | Nagios Xi | < 2026 |
Related Weaknesses (CWE)
References
- https://www.nagios.com/changelog/nagios-xi/Release Notes
- https://www.nagios.com/products/security/#nagios-xiVendor Advisory
- https://www.vulncheck.com/advisories/nagios-xi-rce-via-run-check-command-in-ccmThird Party Advisory
FAQ
What is CVE-2025-34286?
CVE-2025-34286 is a vulnerability with a CVSS score of 7.2 (HIGH). Nagios XI versions prior to 2026R1 contain a remote code execution vulnerability in the Core Config Manager (CCM) Run Check command. Insufficient validation/escaping of parameters used to build backe...
How severe is CVE-2025-34286?
CVE-2025-34286 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-34286?
Check the references section above for vendor advisories and patch information. Affected products include: Nagios Nagios Xi.