cbcvebase.
CVE-2018-10738
published 2018-05-16

CVE-2018-10738: A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/menuaccess.php chbKey1 parameter.

PriorityP259high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
42.56%
98.5th percentile
A SQL injection issue was discovered in Nagios XI before 5.4.13 via the admin/menuaccess.php chbKey1 parameter.

Affected

2 ranges
VendorProductVersion rangeFixed in
nagiosnagios_xi5.2.0 – 5.2.9
nagiosnagios_xi>= 5.4.0 < 5.4.135.4.13

Detection & IOCsextracted from sources · hover to see the quote

path/nagiosql/admin/menuaccess.php
commandselSubMenu=1&subSave=1&chbKey1=-1%' and (select 1 from(select count(*),concat((select (select (select md5({{num}}))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#
  • Look for POST requests to /nagiosql/admin/menuaccess.php with the chbKey1 parameter containing SQL injection payloads (e.g., single quotes, subselects, floor(rand()) error-based patterns).
  • The exploit uses an error-based SQL injection technique leveraging information_schema.tables with floor(rand(0)*2) group-by duplication error; monitor for this pattern in POST body parameters.
  • Use Shodan/FOFA queries to identify exposed Nagios XI instances as potential targets: shodan 'http.title:"nagios xi"', FOFA 'app="Nagios-XI"' or 'title="nagios xi"'.
  • Exploitation requires an authenticated administrator session; monitor for privileged admin accounts performing unusual POST requests to menuaccess.php.
  • ·The vulnerability only affects Nagios XI versions prior to 5.4.13; instances running 5.4.13 or later are not affected.
  • ·Exploitation requires high privileges (authenticated administrator), limiting the attack surface to compromised or malicious admin accounts.

CVSS provenance

nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.