CVE-2025-34280
8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Nagios Network Analyzer versions prior to 2024R2.0.1 contain a vulnerability in the LDAP certificate management functionality whereby the certificate removal operation fails to apply adequate input sanitation. An authenticated administrator can trigger command execution on the underlying host in the context of the web application service, resulting in remote code execution with the service's privileges.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Nagios | Network Analyzer | 0 < 2024R2.0.1 | affected |
Weaknesses
- CWE-78: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://www.nagios.com/products/security/#network-analyzer
- https://www.nagios.com/changelog/nagios-network-analyzer/
- https://www.vulncheck.com/advisories/nagios-network-analyzer-rce-in-ldap-certificate-removal-function
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.