cbcvebase.
CVE-2019-15949
published 2019-09-05

CVE-2019-15949: Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via…

PriorityP192high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
77.74%
99.5th percentile
Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes check_plugin, which is owned by the nagios user. A user logged into Nagios XI with permissions to modify plugins, or the nagios user on the server, can modify the check_plugin executable and insert malicious commands to execute as root.

Affected

1 ranges
VendorProductVersion rangeFixed in
nagiosnagios_xi< 5.6.65.6.6

Detection & IOCsextracted from sources · hover to see the quote

url/nagiosxi/includes/components/profile/profile.php?cmd=download
filenamecheck_ping
filenamecheck_plugin
path/nagiosxi/includes/components/profile/profile.php
path/nagiosxi/login.php
snort
ET EXPLOIT Nagios XI [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI <= 5.6.5 Privesc (CVE-2019-15949)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name="; pcre:"/^[\s\x22\x27]*upload\b/Ri"; content:"name="; distance:0; pcre:"/^[\s\x22\x27]*uploadedfile\b/Ri"; content:"filename="; distance:0; pcre:"/^[\s\x22\x27]*check_ping\b/Ri"; content:"check_ping"; nocase; fast_pattern; reference:url,github.com/jakgibb/nagiosxi-root-rce-exploit/blob/master/exploit.php; reference:cve,2019-15949; classtype:attempted-admin; sid:2034535; rev:1; metadata:attack_target Server, created_at 2021_11_23, cve CVE_2019_15949, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_11_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Detect exploit stage 1: HTTP POST to /nagiosxi/admin/monitoringplugins.php uploading a multipart file named 'check_ping' — the malicious plugin upload step.
  • Detect exploit stage 2: HTTP GET to /nagiosxi/includes/components/profile/profile.php?cmd=download immediately after a check_ping upload — this triggers getprofile.sh and executes the malicious plugin as root.
  • Monitor for unexpected modification of the check_plugin binary (owner: nagios) on disk — the core privilege escalation primitive relies on replacing this executable with a malicious one.
  • For older Nagios XI versions (5.2.0–5.4.13), the payload executes as the 'nagios' user; for 5.5.0–5.6.5 it executes as root. Triage privilege level of any suspicious process spawned from getprofile.sh accordingly.
  • The exploit requires a valid admin session; monitor for successful logins to /nagiosxi/login.php followed immediately by plugin upload and profile download requests in the same session.
  • ·The Metasploit module sets HttpClientTimeout to 2 seconds for the profile download request because the connection must be forcibly closed for the exploit to work — network sensors may log this as an anomalous abrupt TCP teardown rather than a completed response.
  • ·Against Nagios XI versions before 5.5.0, payload callback can take up to 5 minutes; the default WfsDelay is 300 seconds. Detection rules with short session-correlation windows may miss the full attack chain on older targets.
  • ·The Linux (cmd) target variant writes the payload directly via the malicious plugin without a command stager, bypassing stager-based detections; this path must be covered separately.
  • ·Versions of Nagios XI prior to 5.2.0 are flagged as vulnerable but are not supported by the public Metasploit module; exploitation behaviour on those versions is undocumented and may differ.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.