CVE-2025-34287
📋 TL;DR
This vulnerability allows attackers with web server privileges (www-data user) to modify a Nagios XI script, leading to arbitrary code execution as the nagios user when the script runs. It enables local privilege escalation from web server to monitoring system privileges. Affects Nagios XI installations prior to version 2024R2.
💻 Affected Systems
- Nagios XI
📦 What is this software?
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of Nagios monitoring system, ability to execute arbitrary commands as nagios user, potential lateral movement to other systems via Nagios credentials/access.
Likely Case
Attackers who compromise the web server (through other vulnerabilities) can escalate to nagios user, gaining control over monitoring infrastructure and potentially accessing sensitive system data.
If Mitigated
With proper file permissions and user separation, impact limited to web server compromise without privilege escalation.
🎯 Exploit Status
Exploitation requires existing web server access; trivial file modification leads to code execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024R2 and later
Vendor Advisory: https://www.nagios.com/changelog/nagios-xi/
Restart Required: No
Instructions:
1. Backup current Nagios XI installation. 2. Download Nagios XI 2024R2 or later from official site. 3. Follow upgrade instructions in documentation. 4. Verify file ownership/permissions post-upgrade.
🔧 Temporary Workarounds
Fix file permissions manually
linuxChange ownership and permissions of vulnerable script to prevent www-data modification
sudo chown nagios:nagios /usr/local/nagiosxi/scripts/process_perfdata.pl
sudo chmod 755 /usr/local/nagiosxi/scripts/process_perfdata.pl
🧯 If You Can't Patch
- Restrict web server privileges and implement strict access controls
- Monitor file integrity of process_perfdata.pl for unauthorized changes
🔍 How to Verify
Check if Vulnerable:
Check file ownership: ls -la /usr/local/nagiosxi/scripts/process_perfdata.pl | grep www-dataCheck Version:
cat /usr/local/nagiosxi/var/xiversionVerify Fix Applied:
Verify file owned by nagios: ls -la /usr/local/nagiosxi/scripts/process_perfdata.pl | grep nagios📡 Detection & Monitoring
Log Indicators:
- Unauthorized file modifications to process_perfdata.pl
- Unusual nagios user activity following web server compromise
Network Indicators:
- Unusual outbound connections from Nagios server
SIEM Query:
file_modification AND (file_path:"*process_perfdata.pl*" OR file_owner:"www-data")