cbcvebase.
CVE-2018-15711
published 2018-11-14

CVE-2018-15711: Nagios XI 5.5.6 allows remote authenticated attackers to reset and regenerate the API key of more privileged users. The attacker can then use the new API key…

PriorityP267high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
36.01%
98.3th percentile
Nagios XI 5.5.6 allows remote authenticated attackers to reset and regenerate the API key of more privileged users. The attacker can then use the new API key to execute API calls at elevated privileges.

Affected

1 ranges
VendorProductVersion rangeFixed in
nagiosnagios_xi

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://192.168.1.208/nagiosxi/ajaxhelper.php?cmd=getxicoreajax&opts={%22func%22:%22set_random_api_key%22,%22args%22:{%22user_id%22:1}}&nsp=cc326511f1d7384bb9bf4ff619c9db91756574acb65217d27109923d6647a37e
path/nagiosxi/ajaxhelper.php
commandcmd=getxicoreajax&opts={"func":"set_random_api_key","args":{"user_id":1}}
  • Monitor HTTP requests to /nagiosxi/ajaxhelper.php containing the parameter 'func=set_random_api_key' or the equivalent URL-encoded form, especially when issued by low-privileged users targeting user_id values belonging to admins (e.g., user_id=1 for nagiosadmin).
  • Alert on HTTP 200 responses from /nagiosxi/ajaxhelper.php with cmd=getxicoreajax and a 64-character alphanumeric string in the response body, which indicates a newly regenerated API key was returned to the requester.
  • Detect cross-user API key regeneration by correlating the authenticated session's user ID against the 'user_id' argument in the set_random_api_key call; a mismatch indicates unauthorized privilege escalation.
  • ·The 'nsp' (nonce/CSRF token) value in the exploit URL is session-specific and will differ per attacker session; detection rules should not rely on a static nsp value but instead focus on the cmd and func parameters.
  • ·The vulnerability affects Nagios XI 5.5.6 specifically; verify the installed version before applying detections to avoid false positives on patched instances.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.