CVE-2025-67254 is a directory traversal vulnerability identified in NagiosXI 2026R1.0.1 build 1762361101, specifically within the /admin/coreconfigsnapshots.php script. Directory traversal (CWE-22) vulnerabilities occur when an application improperly sanitizes user-supplied input used to construct file paths, allowing attackers to access files outside the intended directory. In this case, the vulnerability enables remote attackers to manipulate file path parameters without authentication or user interaction, thereby reading arbitrary files on the server. The vulnerability has a CVSS 3.1 base score of 7.5, reflecting its high impact on confidentiality (C:H), with no impact on integrity or availability. The attack vector is network-based (AV:N), requiring no privileges (PR:N) or user interaction (UI:N). Although no exploits have been reported in the wild, the vulnerability presents a significant risk due to the sensitive nature of files that could be exposed, including configuration files, credentials, or other critical data stored on the NagiosXI server. NagiosXI is widely used for IT infrastructure monitoring, and compromise of its configuration files could lead to further attacks or data leakage. The absence of available patches at the time of reporting necessitates immediate risk mitigation through access controls and monitoring. The vulnerability was reserved on December 8, 2025, and published on December 29, 2025, indicating recent discovery and disclosure.

The primary impact of CVE-2025-67254 is unauthorized disclosure of sensitive information due to the ability to read arbitrary files on the NagiosXI server. For European organizations, this could lead to exposure of critical configuration data, credentials, or proprietary information, potentially facilitating further attacks such as privilege escalation or lateral movement within networks. Organizations relying on NagiosXI for monitoring critical infrastructure, financial systems, or government services face heightened risk, as attackers could leverage disclosed information to disrupt operations or compromise additional systems. The vulnerability does not directly affect system integrity or availability but poses a significant confidentiality risk. Given the lack of authentication requirements and ease of exploitation over the network, attackers can quickly exploit this flaw if the vulnerable endpoint is exposed externally. This elevates the threat level for European entities with internet-facing NagiosXI deployments or insufficient network segmentation. Additionally, regulatory frameworks such as GDPR impose strict requirements on protecting personal and sensitive data, so data breaches resulting from this vulnerability could lead to legal and financial consequences.

1. Immediately restrict access to the /admin/coreconfigsnapshots.php endpoint by implementing network-level controls such as IP whitelisting or VPN-only access to NagiosXI management interfaces. 2. Deploy web application firewall (WAF) rules to detect and block directory traversal patterns, specifically targeting payloads attempting to traverse directories (e.g., ../ sequences). 3. Monitor web server and application logs for suspicious requests targeting the vulnerable script to identify potential exploitation attempts. 4. Once available, promptly apply official patches or updates from NagiosXI to remediate the vulnerability. 5. Conduct a thorough audit of NagiosXI configurations and sensitive files to identify any unauthorized access or data leakage. 6. Implement strict input validation and sanitization on all user-supplied parameters in custom or third-party NagiosXI plugins or scripts. 7. Segment NagiosXI servers from public networks and limit exposure to trusted administrative networks only. 8. Educate IT and security teams about this vulnerability to ensure rapid detection and response to exploitation attempts.