Home

Description

Nagios Network Analyzer versions prior to 2024R2.0.1 contain a vulnerability in the LDAP certificate management functionality whereby the certificate removal operation fails to apply adequate input sanitation. An authenticated administrator can trigger command execution on the underlying host in the context of the web application service, resulting in remote code execution with the service's privileges.

PUBLISHED Reserved 2025-04-15 | Published 2025-10-30 | Updated 2025-10-31 | Assigner VulnCheck




HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unaffected

Any version before 2024R2.0.1
affected

Credits

Haoyu Li finder

Shiwu Zhao finder

rmb122 finder

rry finder

Xingchen Chen finder

Ru Tan finder

Qixu Liu finder

References

www.nagios.com/products/security/ vendor-advisory patch

www.nagios.com/changelog/nagios-network-analyzer/ release-notes patch

www.vulncheck.com/...ce-in-ldap-certificate-removal-function third-party-advisory

cve.org (CVE-2025-34280)

nvd.nist.gov (CVE-2025-34280)

Download JSON