Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-34134

CVE-2025-34134: Nagios XI BPI RCE Vulnerability

CVE-2025-34134 is a remote code execution vulnerability in Nagios XI's Business Process Intelligence component that allows authenticated admins to execute arbitrary code. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2025-34134 Overview

CVE-2025-34134 is a remote code execution vulnerability affecting Nagios XI versions prior to 2024R1.4.2. The flaw resides in the Business Process Intelligence (BPI) component, which fails to properly validate and sanitize administrator-controlled configuration parameters such as bpi_logfile and bpi_configfile. An authenticated administrative user can abuse these parameters to create or overwrite files inside the webroot. When those files carry executable extensions and are served by the web application, attackers achieve arbitrary code execution as the Nagios XI web application user. The issue is tracked under CWE-78 and carries a CVSS v4.0 score of 9.4.

Critical Impact

Authenticated administrators can write attacker-controlled files into the Nagios XI webroot and execute arbitrary code, enabling full compromise of the host operating system.

Affected Products

  • Nagios XI versions 2024R1 through 2024R1.4.1
  • Nagios XI 2024R1.0.1, 2024R1.0.2, 2024R1.1.x, 2024R1.2.x, 2024R1.3.x
  • All Nagios XI releases prior to 2024R1.4.2

Discovery Timeline

  • 2025-10-30 - CVE-2025-34134 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-34134

Vulnerability Analysis

The vulnerability exists in the Business Process Intelligence (BPI) module of Nagios XI. BPI accepts configuration parameters from administrative users to specify file locations, including bpi_logfile and bpi_configfile. The application uses these values to create or write files without enforcing path or extension restrictions. An attacker with administrative credentials redirects these parameters to paths inside the web-served directory tree. Once a file exists under the webroot, the BPI configuration editor allows further editing, letting the attacker inject server-executable content such as PHP. The web server then processes the planted file on request, executing attacker-supplied code as the Nagios XI web application user. This serves as a pivot for further host compromise through local privilege escalation or persistence mechanisms.

Root Cause

The root cause is insufficient validation and sanitization of administrator-controlled BPI configuration inputs. The application trusts the supplied file paths and extensions without enforcing an allowlist of safe directories or non-executable file types. The condition maps to CWE-78: Improper Neutralization of Special Elements used in an OS Command, reflecting the downstream command execution made possible by the file-write primitive.

Attack Vector

Exploitation requires network access to the Nagios XI web interface and valid administrative credentials. The attacker submits crafted BPI configuration parameters pointing bpi_logfile or bpi_configfile to a target path within the webroot using an executable extension. The attacker then uses the BPI configuration editor to insert server-side code into the planted file. Requesting the file through the web server triggers execution under the privileges of the Nagios XI web application user, enabling command execution and further lateral movement.

No public proof-of-concept exploit is currently listed in Exploit-DB or CISA KEV. The EPSS probability stands at 2.007% (78th percentile). Technical details are available in the VulnCheck Advisory for Nagios XI RCE.

Detection Methods for CVE-2025-34134

Indicators of Compromise

  • Unexpected files with executable extensions (.php, .phtml, .cgi) appearing under the Nagios XI webroot, particularly within BPI-related directories.
  • Modifications to bpi_logfile or bpi_configfile configuration values referencing paths outside standard BPI log and config directories.
  • Web access log entries showing GET or POST requests to newly created files inside the webroot following BPI configuration changes.
  • Outbound network connections originating from the Nagios XI web application user to unfamiliar destinations following BPI configuration activity.

Detection Strategies

  • Monitor file integrity on the Nagios XI webroot and BPI configuration directories for new or modified files outside patch windows.
  • Audit Nagios XI administrative actions, focusing on changes to BPI configuration parameters that reference file paths.
  • Inspect web server logs for requests targeting unusual file names under BPI paths shortly after administrative sessions.
  • Correlate process execution telemetry from the web application user with subsequent shell, scripting, or reconnaissance commands.

Monitoring Recommendations

  • Forward Nagios XI application logs, web server access logs, and host process telemetry to a centralized SIEM for cross-source correlation.
  • Alert on administrative login events to Nagios XI from new source IP addresses or outside business hours.
  • Track child processes spawned by the web server account, such as php, sh, bash, python, or curl, which can indicate post-exploitation activity.
  • Baseline the Nagios XI webroot file inventory and alert on deviations.

How to Mitigate CVE-2025-34134

Immediate Actions Required

  • Upgrade Nagios XI to version 2024R1.4.2 or later as listed in the Nagios XI Changelog.
  • Restrict administrative access to the Nagios XI web interface using network segmentation and IP allowlisting.
  • Rotate Nagios XI administrative credentials and enforce strong, unique passwords with multi-factor authentication where supported.
  • Audit the webroot for unauthorized files and review recent BPI configuration changes for malicious paths.

Patch Information

Nagios resolved CVE-2025-34134 in Nagios XI release 2024R1.4.2. Refer to the Nagios XI Security Overview and the Nagios XI Changelog for upgrade procedures and verification steps. Apply the patch in a maintenance window and validate BPI functionality after upgrade.

Workarounds

  • Limit Nagios XI administrative accounts to a minimum number of trusted users until the patch can be applied.
  • Place the Nagios XI web interface behind a VPN or reverse proxy enforcing additional authentication.
  • Apply restrictive filesystem permissions on the Nagios XI webroot so the web application user cannot write executable file types into served directories.
  • Disable or restrict the BPI component if it is not required in the environment.
bash
# Example: tighten webroot permissions and confirm Nagios XI version
sudo find /usr/local/nagiosxi/html -type f -name "*.php" -exec chmod 0444 {} \;
sudo chown -R root:nagios /usr/local/nagiosxi/html/includes/components/bpi
cat /usr/local/nagiosxi/var/xi-version.txt

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.