CVE-2016-0726
published 2017-06-06CVE-2016-0726: The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote attackers to…
PriorityP260critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
2.26%
80.8th percentile
The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect successful authentication to Nagios web interface using the default credential pair 'nagiosadmin'/'nagiosadmin'; alert on logins from unexpected or external IP addresses given there is no IP-based access restriction in the default configuration. ↗
- →Only direct package installations of the Fedora Nagios package are affected; deployments via packstack, opm, or director set the password through automation and do not retain the default credential. ↗
- ·The default 'nagiosadmin' credential is present only on direct package installs; automated RHOSP deployment methods (packstack, opm, director) override the password and are unaffected. ↗
- ·No IP-based access restriction is applied by default, meaning the Nagios admin interface is reachable without network-level controls when the default credential is in use. ↗
- ·The vulnerability information about the default credential is absent from the packaged README file, reducing operator awareness. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rg2g-95pj-mc2p: The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote att
ghsa_unreviewed·2022-05-17
CVE-2016-0726 [CRITICAL] CWE-798 GHSA-rg2g-95pj-mc2p: The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote att
The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials.
Red Hat
nagios: Configured administrative account with fixed password and no IP restriction as default
vendor_redhat·2016-01-08·CVSS 9.8
CVE-2016-0726 [CRITICAL] CWE-798 nagios: Configured administrative account with fixed password and no IP restriction as default
nagios: Configured administrative account with fixed password and no IP restriction as default
The Fedora Nagios package uses "nagiosadmin" as the default password for the "nagiosadmin" administrator account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials.
Package: nagios (Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)) - Will not fix
Package: nagios (Red Hat Enterprise Linux OpenStack Platform 6 (Juno)) - Will not fix
Package: nagios (Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)) - Will not fix
Package: nagios (Red Hat Gluster Storage 3.1) - Will not fix
No detection rules found.
No public exploits indexed.
2017-06-06
Published