CVE-2025-34134: 
Nagios XI vulnerability analysis and mitigation

CVE-2025-34134 affects Nagios XI versions prior to 2024R1.4.2, specifically targeting the Business Process Intelligence (BPI) component. The vulnerability was discovered by M. Cory Billington and disclosed on October 30, 2025. This critical security flaw allows authenticated administrative users to achieve remote code execution through insufficient validation and sanitization of BPI configuration parameters (VulnCheck Advisory).

The vulnerability stems from improper validation and sanitization of administrator-controlled BPI configuration parameters, specifically bpi_logfile and bpi_configfile. The flaw is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command Injection). It carries a CVSS v4.0 base score of 9.4 (Critical) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H, indicating network accessibility, low attack complexity, and high potential impact (VulnCheck Advisory).

Successful exploitation allows an attacker to create or overwrite files within the webroot and subsequently edit them via the BPI configuration editor. When these files carry executable extensions and are served by the web application, arbitrary code can be executed in the context of the web application user. This execution can be leveraged to gain further control of the underlying host operating system (VulnCheck Advisory).

The vulnerability has been patched in Nagios XI version 2024R1.4.2. Organizations are strongly advised to upgrade to this version or later to address the security risk. The fix includes improved validation and sanitization of BPI configuration parameters (Nagios Changelog).