CVE-2025-34284

CVSS v4.0

9.4

Vector

AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Name of the Vulnerable Software and Affected Versions Nagios XI versions prior to 2024R2

Description Nagios XI versions prior to 2024R2 have a command injection issue in the WinRM plugin. A lack of proper validation of user-supplied parameters allows an authenticated administrator to inject shell metacharacters into backend command invocations. Successful exploitation can lead to arbitrary command execution with the privileges of the Nagios XI web application user. This could allow attackers to modify configuration, steal data, disrupt monitoring, or execute commands on the host operating system. The vulnerable component is the WinRM plugin, and the issue stems from insufficient validation of user-supplied parameters.

Recommendations Update Nagios XI to version 2024R2 or later.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

BDU:2025-13625

CVE-2025-34284

Affected Products

Nagios Xi

Winrm Plugin

CVE-2025-34284

Weakness Enumeration

Related Identifiers

Affected Products

References · 9