Nagios XI 2024R1.4.2 RCE via BPI Log/Config File Write
CVE-2025-34134 Published on October 30, 2025
Nagios XI < 2024R1.4.2 RCE via Business Process Intelligence (BPI)
Nagios XI versions prior to 2024R1.4.2 contain a remote code execution vulnerability in the Business Process Intelligence (BPI) component. Insufficient validation and sanitization of administrator-controlled BPI configuration parameters (notably bpi_logfile and bpi_configfile) allow an authenticated administrative user to cause the product to create or overwrite files within the webroot and subsequently edit them via the BPI configuration editor. When such files carry executable extensions and are served by the web application, arbitrary code may be executed in the context of the web application user. Successful exploitation results in arbitrary command execution with the privileges of the Nagios XI web application user and can be leveraged to gain further control of the underlying host operating system.
Weakness Type
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2025-34134 has been classified to as a Shell injection vulnerability or weakness.
Products Associated with CVE-2025-34134
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-34134 are published in these products:
Affected Versions
Nagios XI:- Before 2024R1.4.2 is unknown.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.