Back to search
CVE-2025-34287
Published: Oct 30, 2025
Modified: Nov 17, 2025
PUBLISHED
Description
Nagios XI versions prior to 2024R2 contain an improperly owned script, process_perfdata.pl, which is executed periodically as the nagios user but owned by www-data. Because the file was writable by www-data, an attacker with web server privileges could modify its contents, leading to arbitrary code execution as the nagios user when the script is next run. This improper ownership and permission configuration enables local privilege escalation.
| Vendor | Product | Versions |
|---|---|---|
Nagios | XI | affected 0 - < 2024R2 |
Weaknesses (CWE)
References
https://www.nagios.com/changelog/nagios-xi/
release-notes
patch
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now