cbcvebase.
CVE-2018-8733
published 2018-04-18

CVE-2018-8733: Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make…

PriorityP179critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
27.51%
97.8th percentile
Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability.

Affected

1 ranges
VendorProductVersion rangeFixed in
nagiosnagios_xi>= 5.2.0 < 5.4.135.4.13

Detection & IOCsextracted from sources · hover to see the quote

url/nagiosql/admin/settings.php
url/nagiosql/admin/helpedit.php
url/nagiosxi/api/v1/system/user
url/nagiosxi/backend/index.php
url/nagiosxi/login.php
path/usr/local/nagiosxi/scripts/reset_config_perms.sh
commandcmd=submitcommand&command=1111&command_data=
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI SQL Injection"; flow:established,to_server; http.uri; content:"/nagiosim.php?mode=resolve&host=|27|"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025772; rev:2; metadata:attack_target Server, created_at 2018_07_02, cve CVE_2018_8734, deployment Datacenter, confidence High, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI SQL Injection 2"; flow:established,to_server; http.uri; content:"/admin/helpedit.php"; fast_pattern; http.request_body; content:"selInfoKey1="; pcre:"/^[^&]+\x2527(?:UNION|SELECT)/Ri"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025775; rev:3; metadata:attack_target Server, created_at 2018_07_03, cve CVE_2018_8734, deployment Datacenter, confidence High, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Detect unauthenticated POST to /nagiosql/admin/settings.php changing txtDBuser to 'root' — this is the auth-bypass step that enables the chained attack.
  • Detect POST to /nagiosql/admin/helpedit.php with selInfoKey1 parameter containing a URL-encoded single-quote followed by UNION or SELECT (SQLi payload to extract API keys).
  • Detect POST to /nagiosxi/api/v1/system/user with auth_level=admin in the body — indicates attacker is adding a rogue administrative user via stolen API key.
  • Detect POST to /nagiosxi/backend/index.php with query parameters cmd=submitcommand&command=1111 — this is the command injection endpoint used for privilege escalation to root.
  • Monitor for writes to /usr/local/nagiosxi/scripts/reset_config_perms.sh followed by sudo execution — this is the privilege escalation mechanism used to obtain a root shell.
  • The SQLi payload uses the pattern CONCAT('START_API:',<column>,':END_API') in the response body — scan HTTP responses from /nagiosql/admin/helpedit.php for this delimiter pattern to detect successful key exfiltration.
  • The exploit targets Nagios XI versions 5.2.6 through 5.4.12; correlate version string from /nagiosxi/ login page (input name='version') with this range to identify vulnerable hosts.
  • ·The auth bypass in /nagiosql/admin/settings.php requires NO authentication — any unauthenticated attacker can POST to this endpoint to change the database user to root, enabling subsequent SQLi steps.
  • ·The exploit resets the database credentials back to 'nagiosql'/'n@gweb' and deletes the added admin user after exploitation — forensic artifacts may be minimal; focus on network-level detection rather than post-exploitation host artifacts.
  • ·The SQLi parameter name differs by Nagios XI version: 'api_key' for versions >= 5.3, 'backend_ticket' for older versions — detection rules must account for both column names.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.