cbcvebase.
CVE-2018-8735
published 2018-04-18

CVE-2018-8735: Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target…

PriorityP278high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
64.17%
99.1th percentile
Remote command execution (RCE) vulnerability in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an attacker to execute arbitrary commands on the target system, aka OS command injection.

Affected

1 ranges
VendorProductVersion rangeFixed in
nagiosnagios_xi>= 5.2.0 < 5.4.135.4.13

Detection & IOCsextracted from sources · hover to see the quote

url/nagiosql/admin/settings.php
url/nagiosql/admin/helpedit.php
url/nagiosxi/backend/index.php
url/nagiosxi/api/v1/system/user
path/usr/local/nagiosxi/scripts/reset_config_perms.sh
cookienagiosxi
commandcmd=submitcommand&command=1111&command_data=
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI SQL Injection"; flow:established,to_server; http.uri; content:"/nagiosim.php?mode=resolve&host=|27|"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025772; rev:2; metadata:attack_target Server, created_at 2018_07_02, cve CVE_2018_8734, deployment Datacenter, confidence High, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI SQL Injection 2"; flow:established,to_server; http.uri; content:"/admin/helpedit.php"; fast_pattern; http.request_body; content:"selInfoKey1="; pcre:"/^[^&]+\x2527(?:UNION|SELECT)/Ri"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025775; rev:3; metadata:attack_target Server, created_at 2018_07_03, cve CVE_2018_8734, deployment Datacenter, confidence High, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Detect POST requests to /nagiosql/admin/settings.php with txtDBuser=root, indicating an attacker is attempting to elevate the NagiosQL database user to root as the first step of the chained exploit.
  • Detect POST requests to /nagiosql/admin/helpedit.php where the selInfoKey1 parameter contains a single-quote followed by UNION or SELECT (URL-encoded as %27 or raw), indicating SQL injection for API key enumeration.
  • Detect POST requests to /nagiosxi/api/v1/system/user with auth_level=admin in the body, indicating an attacker is attempting to create a rogue administrative user via stolen API key.
  • Detect POST requests to /nagiosxi/backend/index.php with query parameters cmd=submitcommand&command=1111 and command_data containing shell metacharacters or $(...) subshell syntax, indicating command injection for privilege escalation.
  • Monitor for unexpected writes to /usr/local/nagiosxi/scripts/reset_config_perms.sh, which the exploit overwrites with attacker-controlled content before executing it via sudo for privilege escalation.
  • ·The exploit targets Nagios XI versions 5.2.6 through 5.4.12; the SQLi parameter name differs by version (api_key for versions < 5.3, backend_ticket for >= 5.3), so detection rules should account for both field names in the UNION SELECT payload.
  • ·The exploit hardcodes the default NagiosQL database credentials (user: nagiosql, password: n@gweb) and resets them after exploitation; environments with non-default credentials may cause the exploit to fail at step 1 but the POST to settings.php will still occur.
  • ·The module uses a CmdStager with 'printf' flavor and ARCH_X86, meaning the staged payload delivery relies on printf-based shell commands; detection of the stager should look for printf-assembled binaries written to /tmp.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.