QwikSec

Security Database

CVE

CWE

Training

CVE-2025-34227

Published: Sep 25, 2025

Modified: May 15, 2026

PUBLISHED

Description

Nagios XI < 2026R1 is vulnerable to an authenticated command injection vulnerability within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It is possible to inject shell characters into arguments provided to the service and execute arbitrary system commands on the underlying host as the `nagios` user.

Vendor	Product	Versions
Nagios	Nagios XI	affected `0 - < 2026R1`

Weaknesses (CWE)

References

https://www.nagios.com/changelog/

vendor-advisory

patch

https://www.nagios.com/products/security/

vendor-advisory

patch

https://www.vulncheck.com/advisories/nagios-xi-config-wizard-auth-command-injection

third-party-advisory

https://theyhack.me/CVE-2025-34227-Nagios-XI-Wizard-Command-Injection/

technical-description

exploit

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.