CVE-2025-34134

Name of the Vulnerable Software and Affected Versions Nagios XI versions prior to 2024R1.4.2

Description Nagios XI versions prior to 2024R1.4.2 have a remote code execution issue in the Business Process Intelligence (BPI) component. The issue is due to inadequate validation and sanitization of administrator-controlled BPI configuration parameters, specifically bpi logfile and bpi configfile. This allows an authenticated administrative user to create or overwrite files within the webroot and modify them using the BPI configuration editor. If these files have executable extensions and are served by the web application, arbitrary code execution can occur in the context of the Nagios XI web application user. Successful exploitation can lead to arbitrary command execution with the privileges of the Nagios XI web application user, potentially allowing further control of the host operating system.

Recommendations Update Nagios XI to version 2024R1.4.2 or later.