CVE-2025-34322 Overview
CVE-2025-34322 is an authenticated command injection vulnerability in Nagios Log Server versions prior to 2026R1.0.1. The flaw resides in the experimental Natural Language Queries feature. User-controlled settings, including model selection and connection parameters, are read from the global configuration and concatenated into a shell command executed via shell_exec(). The product fails to sanitize these inputs before invocation, allowing authenticated administrators to inject arbitrary shell commands. Successful exploitation results in arbitrary command execution as the www-data user and full compromise of the Log Server host. The vulnerability is tracked under [CWE-78] (OS Command Injection).
Critical Impact
Authenticated users with access to the Global Settings page can achieve arbitrary command execution as www-data on the Nagios Log Server host.
Affected Products
- Nagios Log Server versions prior to 2026R1.0.1
- Nagios Log Server 2026R1 (initial release)
- Deployments with the experimental Natural Language Queries feature configured
Discovery Timeline
- 2025-11-17 - CVE-2025-34322 published to the National Vulnerability Database
- 2025-11-26 - Last updated in NVD database
Technical Details for CVE-2025-34322
Vulnerability Analysis
The vulnerability exists in the Natural Language Queries feature introduced as an experimental capability in Nagios Log Server. The feature reads configuration values from the application's global settings store and assembles a command string that is passed to PHP's shell_exec() function. Because no input validation or argument escaping is applied, settings such as model selection and connection parameters become an attack surface for command injection.
An authenticated user with permission to modify the Global Settings page can place shell metacharacters or additional command tokens into the affected fields. When the application later executes the assembled command, the injected payload runs in the context of the web server account, www-data. From there, attackers can read sensitive log data, pivot inside the network, or persist on the host.
Root Cause
The root cause is unsafe concatenation of user-controlled configuration values into a shell command string, combined with the use of shell_exec() without escapeshellarg(), escapeshellcmd(), or an exec-style API that accepts argument arrays. This is a textbook [CWE-78] OS Command Injection.
Attack Vector
The attack requires network access to the Log Server web interface and authenticated credentials with privileges to modify Global Settings. The attacker submits crafted values via the settings UI or its underlying API. The server then writes those values to configuration. When the Natural Language Queries flow is invoked, the malicious tokens are interpolated into a shell command and executed. Refer to the VulnCheck advisory and the They Hack technical write-up for exploitation details. No proof-of-concept code is reproduced here.
Detection Methods for CVE-2025-34322
Indicators of Compromise
- Unexpected child processes spawned by the Nagios PHP web stack under the www-data account, such as sh, bash, curl, wget, nc, or python.
- Modifications to Natural Language Queries configuration fields containing shell metacharacters such as ;, |, &&, backticks, or $(...).
- Outbound network connections originating from the Log Server host to untrusted destinations shortly after a settings change.
Detection Strategies
- Audit Nagios Log Server configuration history for changes to model name, endpoint URL, or connection parameter fields associated with the Natural Language Queries feature.
- Inspect web server access logs for POST requests to Global Settings endpoints made by privileged accounts, correlated with subsequent process executions.
- Apply file integrity monitoring to the Log Server installation directory and the system crontab to identify post-exploitation persistence.
Monitoring Recommendations
- Forward Apache or Nginx access logs and Linux auditd process-execution events from the Log Server host into a centralized analytics platform.
- Alert on any execution chain where the PHP-FPM or Apache worker process is the parent of a shell interpreter on Log Server hosts.
- Track administrative logins to the Nagios web UI and flag sessions that modify Global Settings outside of approved change windows.
How to Mitigate CVE-2025-34322
Immediate Actions Required
- Upgrade Nagios Log Server to version 2026R1.0.1 or later as published in the Nagios Log Server 2026R1.0.1 changelog.
- Restrict administrative access to the Global Settings page to a minimal set of trusted operators and rotate credentials for any accounts that may have been exposed.
- Review Natural Language Queries configuration values for unexpected characters or unfamiliar endpoints and revert any unauthorized changes.
Patch Information
Nagios resolved the issue in Nagios Log Server 2026R1.0.1. Patch availability and supported upgrade paths are documented on the Nagios security page. Apply the vendor patch in all environments where the Natural Language Queries feature has been enabled or evaluated.
Workarounds
- Disable the experimental Natural Language Queries feature until the patched release is deployed.
- Place the Log Server web interface behind an authenticated reverse proxy or VPN to limit who can reach the Global Settings page.
- Enforce least privilege on Nagios Log Server administrative roles so that ordinary users cannot modify global configuration.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
