Cyber Posture

CVE-2025-67255

High

Published: 29 December 2025

Published
29 December 2025
Modified
15 January 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0110 78.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

In NagiosXI 2026R1.0.1 build 1762361101, Dashboard parameters lack proper filtering, allowing any authenticated user to exploit a SQL Injection vulnerability.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mandates validation of untrusted inputs like Dashboard parameters to prevent SQL injection exploitation.

SI-2 Flaw Remediation good match
prevent

Requires identification, reporting, and correction of flaws such as the unfiltered Dashboard parameters enabling SQL injection.

RA-5 Vulnerability Monitoring and Scanning partial match
preventdetect

Enables vulnerability scanning to identify SQL injection issues in NagiosXI Dashboard parameters and subsequent remediation.

Security SummaryAI

CVE-2025-67255 is a SQL injection vulnerability (CWE-89) affecting NagiosXI version 2026R1.0.1 build 1762361101. The issue stems from Dashboard parameters that lack proper filtering, enabling exploitation by any authenticated user. Published on 2025-12-29, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.

Any low-privileged authenticated user can exploit this vulnerability remotely without user interaction. Attackers can inject malicious SQL queries through unfiltered Dashboard parameters, potentially leading to unauthorized data access, modification, or deletion, as well as system compromise given the high impact ratings across CIA triad metrics.

Resources for further details include a GitHub repository at https://github.com/YongYe-Security/NagiosXI/tree/main and the official Nagios site at https://www.nagios.org/, which security practitioners should review for any advisories, patches, or mitigation guidance.

Details

CWE(s)
CWE-89

Affected Products

nagios
nagios xi
2026

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

SQL injection in Dashboard parameters enables low-privileged authenticated users to execute arbitrary SQL queries, directly facilitating exploitation of remote services (T1210) and unauthorized access to database contents (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References