CVE-2025-34288
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Nagios XI where a maintenance script can be executed as root via sudo but includes a writable application file. An attacker with access to the application account can modify this file to inject malicious code, which then runs with root privileges when the script executes. This affects Nagios XI versions prior to 2026R1.1.
💻 Affected Systems
- Nagios XI
📦 What is this software?
Nagios Xi by Nagios
Nagios Xi by Nagios
Nagios Xi by Nagios
⚠️ Risk & Real-World Impact
Worst Case
Full root compromise of the Nagios XI server, allowing complete system control, data theft, lateral movement, and persistence.
Likely Case
Local attackers with application account access escalate to root privileges, gaining full control over the monitoring system and potentially the underlying server.
If Mitigated
With proper access controls and monitoring, exploitation would be detected and contained before significant damage occurs.
🎯 Exploit Status
Exploitation requires local access to the application account but is straightforward once that access is obtained. The vulnerability details are publicly disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2026R1.1
Vendor Advisory: https://www.nagios.com/changelog/nagios-xi/2026r1-1/
Restart Required: Yes
Instructions:
1. Backup current Nagios XI configuration and data. 2. Download Nagios XI 2026R1.1 from the official Nagios website. 3. Follow the Nagios XI upgrade documentation to apply the update. 4. Restart the Nagios XI service and verify functionality.
🔧 Temporary Workarounds
Restrict file permissions on vulnerable PHP include
linuxRemove write permissions from the vulnerable PHP include file for non-root users
chmod o-w /path/to/vulnerable/file.php
chmod g-w /path/to/vulnerable/file.php
Modify sudo permissions
linuxRemove or restrict sudo permissions for the maintenance script that executes with elevated privileges
visudo
Remove or comment out the relevant sudo entry for the maintenance script
🧯 If You Can't Patch
- Implement strict access controls to limit who has access to the Nagios XI application account
- Monitor file integrity of the vulnerable PHP include file and alert on any modifications
🔍 How to Verify
Check if Vulnerable:
Check Nagios XI version: cat /usr/local/nagiosxi/var/xiversion | grep full. If version is earlier than 2026R1.1, the system is vulnerable.Check Version:
cat /usr/local/nagiosxi/var/xiversion | grep fullVerify Fix Applied:
After patching, verify version is 2026R1.1 or later: cat /usr/local/nagiosxi/var/xiversion | grep full. Also check that the vulnerable file permissions have been corrected.📡 Detection & Monitoring
Log Indicators:
- Unexpected modifications to PHP include files in Nagios XI directory
- Unusual sudo executions of Nagios maintenance scripts
- File integrity alerts for Nagios XI system files
Network Indicators:
- None - this is a local privilege escalation
SIEM Query:
source="*nagios*" AND (event_type="file_modification" OR event_type="sudo_execution") AND (file_path="*.php" OR process_name="nagios_maintenance_script")