In Nagios XI versions prior to 2024R1.1 a medium severity vulnerability CVE-2024-13992 was detected. This vulnerability allows remote attackers to execute arbitrary JavaScript in a victim’s browser via a crafted link that targets the “missing page” (404) page, due to improper validation or escaping of user-supplied input in `page-missing.php`. To address this issue, users should upgrade Nagios XI to version 2024R1.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13992.
Read more MonitoringIn Zabbix versions 6.0.0 through 6.0.40, 7.0.0 through 7.0.17, 7.2.0 through 7.2.11, and 7.4.0 through 7.4.1 a medium severity vulnerability CVE-2025-27231 was identified. A Super Admin user could leak the LDAP “Bind password” by changing the LDAP “Host” to a rogue server. Although the password field is not normally readable after saving, this behavior allowed indirect exposure of sensitive credentials. To address this issue, users should upgrade Zabbix to versions 6.0.41, 7.0.18, 7.2.12, or 7.4.2 or later. For more details, see https://nvd.nist.gov/vuln/detail/CVE-2025-27231.
Read more MonitoringIn Zabbix versions 6.0.38 through 6.0.40, 7.0.9 through 7.0.16, 7.2.3 through 7.2.10, and 7.4.0 a low severity vulnerability CVE-2025-27236 was identified. A regular Zabbix user could search other users in their user group via the Zabbix API by selecting fields the user does not have access to view. This allows data-mining of some field values the user does not have access to. To address this issue, users should upgrade Zabbix to versions 6.0.41, 7.0.17, 7.2.11, or 7.4.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27236.
Read more MonitoringIn Zabbix Agent and Agent 2 on Windows versions 6.0.0 through 6.0.40, 7.0.0 through 7.0.17, 7.2.0 through 7.2.11, and 7.4.0 through 7.4.1 a high severity vulnerability CVE-2025-27237 was detected. The OpenSSL configuration file is loaded from a path writable by low-privileged users, allowing malicious modification and potential local privilege escalation by injecting a DLL. To address this issue, users should upgrade Zabbix to versions 6.0.41, 7.0.18, 7.2.12, or 7.4.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27237.
Read more MonitoringIn Zabbix versions 6.0.0 through 6.0.40, 7.0.0 through 7.0.17, 7.2.0 through 7.2.11, and 7.4.0 through 7.4.1 a medium severity vulnerability CVE-2025-49641 was detected. A regular Zabbix user with no permission to the Monitoring → Problems view is still able to call the problem.view.refresh action and retrieve a list of active problems. To address this issue, users should upgrade Zabbix to versions 6.0.41, 7.0.18, 7.2.12, or 7.4.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-49641.
Read more MonitoringIn Nagios XI versions prior to 2026R1 a high severity vulnerability CVE-2025-34227 was detected. This authenticated command injection issue affects the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query configuration wizards. By injecting shell characters into service arguments, an attacker could execute arbitrary system commands on the underlying host as the nagios user. To address this issue, users should upgrade to Nagios XI 2026R1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-34227.
Read more MonitoringIn Zabbix version 5.0 a medium severity vulnerability CVE-2025-27234 was detected. This vulnerability allows attackers to inject unexpected arguments into the smartctl command. In Zabbix 5.0 this can result in remote code execution. To address this issue, users should upgrade Zabbix to version 5.0.47 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27234.
Read more MonitoringIn Zabbix versions 6.0.0 through 6.0.39, 7.0.0 through 7.0.10, and 7.2.0 through 7.2.4 a medium severity vulnerability CVE-2025-27233 was detected. This vulnerability allows attackers to inject unexpected arguments into the smartctl command via the smart.disk.get parameters, which can be exploited to leak the NTLMv2 hash from a Windows system. To address this issue, users should upgrade Zabbix Agent 2 to versions 6.0.40, 7.0.11, 7.2.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27233.
Read more MonitoringIn Zabbix versions 7.0.0 through 7.0.13 and 7.2.0 through 7.2.7 a medium severity vulnerability CVE-2025-27238 was detected. This vulnerability allows users without any assigned user groups to retrieve information on all host prototypes via the hostprototype.get API method. To address this issue, users should upgrade Zabbix to versions 7.0.14 or 7.2.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27238.
Read more Monitoring