cbcvebase.
CVE-2018-15710
published 2018-11-14

CVE-2018-15710: Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php.

PriorityP262high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
44.09%
98.6th percentile
Nagios XI 5.5.6 allows local authenticated attackers to escalate privileges to root via Autodiscover_new.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
nagiosnagios_xi

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for sudo execution of autodiscover_new.php with shell metacharacters (`;`, backticks, `>&`) in the --addresses argument, indicating command injection exploitation of CVE-2018-15710.
  • Alert on HTTP GET requests to /nagiosxi/includes/dashlets/rss_dashlet/magpierss/scripts/magpie_debug.php with a 'url' parameter containing '-o ' (curl output flag), indicating attempted webshell write via CVE-2018-15708.
  • Detect creation of new .php files under /usr/local/nagvis/share/ or /var/www/html/nagiosql/ by the apache user, which are writable drop locations used by the exploit chain.
  • Detect creation of .nse files in /var/tmp/ followed by sudo nmap --script execution, an alternative privilege escalation path used in the exploit.
  • Monitor for outbound /dev/tcp reverse shell connections spawned by php or nmap processes running as root, consistent with successful privilege escalation.
  • ·The privilege escalation is only possible because /etc/sudoers grants passwordless sudo to both 'nagios' and 'apache' users for autodiscover_new.php. Verify and harden sudoers entries as a detection baseline check.
  • ·autodiscover_new.php is protected by Source Guardian obfuscation, preventing static code analysis; detection must rely on behavioral/black-box indicators rather than source-level signatures.

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.