cbcvebase.
CVE-2018-8734
published 2018-04-18

CVE-2018-8734: SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via…

PriorityP178critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
53.25%
98.8th percentile
SQL injection vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary SQL commands via the selInfoKey1 parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
nagiosnagios_xi>= 5.2.0 < 5.4.135.4.13

Detection & IOCsextracted from sources · hover to see the quote

url/nagiosql/admin/helpedit.php
url/nagiosql/admin/settings.php
url/nagiosxi/backend/index.php
url/nagiosxi/api/v1/system/user
cookienagiosxi
commandcp /usr/local/nagiosxi/scripts/reset_config_perms.sh /usr/local/nagiosxi/scripts/reset_config_perms.sh.bak && echo "{cmd}" > /usr/local/nagiosxi/scripts/reset_config_perms.sh && sudo /usr/local/nagiosxi/scripts/reset_config_perms.sh && mv /usr/local/nagiosxi/scripts/reset_config_perms.sh.bak /usr/local/nagiosxi/scripts/reset_config_perms.sh
path/usr/local/nagiosxi/scripts/reset_config_perms.sh
commandcmd=submitcommand&command=1111
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI SQL Injection"; flow:established,to_server; http.uri; content:"/nagiosim.php?mode=resolve&host=|27|"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025772; rev:2; metadata:attack_target Server, created_at 2018_07_02, cve CVE_2018_8734, deployment Datacenter, confidence High, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI SQL Injection 2"; flow:established,to_server; http.uri; content:"/admin/helpedit.php"; fast_pattern; http.request_body; content:"selInfoKey1="; pcre:"/^[^&]+\x2527(?:UNION|SELECT)/Ri"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025775; rev:3; metadata:attack_target Server, created_at 2018_07_03, cve CVE_2018_8734, deployment Datacenter, confidence High, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Detect SQLi exploitation attempt: POST to /nagiosql/admin/helpedit.php with 'selInfoKey1' parameter containing a URL-encoded single-quote followed by UNION or SELECT (matches ET SID 2025775 PCRE: /^[^&]+\x2527(?:UNION|SELECT)/Ri).
  • Detect auth-bypass DB user pivot: POST to /nagiosql/admin/settings.php with txtDBuser=root and txtDBpass=nagiosxi is the first step of the chained exploit.
  • Detect admin user creation via API: POST to /nagiosxi/api/v1/system/user with auth_level=admin and force_pw_change=0 using a harvested API key.
  • Detect command injection / privilege escalation: POST to /nagiosxi/backend/index.php with query parameters cmd=submitcommand and command=1111 containing shell metacharacters in command_data.
  • Monitor for modification of /usr/local/nagiosxi/scripts/reset_config_perms.sh on disk, which is overwritten with attacker-controlled content as the privilege escalation vector.
  • The SQLi payload exfiltrates API keys using the sentinel strings START_API: and :END_API in the HTTP response body; inspect responses from /nagiosql/admin/helpedit.php for these markers.
  • The exploit targets the 'selInfoKey1' POST parameter on /nagiosql/admin/helpedit.php as the SQL injection entry point per the CVE description.
  • ·The SQLi parameter name differs between Nagios XI versions: 'api_key' is used for versions < 5.3.0 and 'backend_ticket' for versions >= 5.3.0; detection rules must account for both column names.
  • ·The exploit resets the Nagios DB user to 'nagiosql' with password 'n@gweb' after exploitation; these are the expected default credentials and their presence in POST traffic to settings.php may indicate cleanup activity rather than initial compromise.
  • ·The module targets port 80 by default (RPORT 80); deployments running Nagios XI on HTTPS/443 will not be caught by rules anchored to port 80.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.