CVE-2019-15949
published 2019-09-05CVE-2019-15949: Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via…
PriorityP192high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
77.74%
99.5th percentile
Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes check_plugin, which is owned by the nagios user. A user logged into Nagios XI with permissions to modify plugins, or the nagios user on the server, can modify the check_plugin executable and insert malicious commands to execute as root.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nagios | nagios_xi | < 5.6.6 | 5.6.6 |
Detection & IOCsextracted from sources · hover to see the quote
snort
ET EXPLOIT Nagios XI [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI <= 5.6.5 Privesc (CVE-2019-15949)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name="; pcre:"/^[\s\x22\x27]*upload\b/Ri"; content:"name="; distance:0; pcre:"/^[\s\x22\x27]*uploadedfile\b/Ri"; content:"filename="; distance:0; pcre:"/^[\s\x22\x27]*check_ping\b/Ri"; content:"check_ping"; nocase; fast_pattern; reference:url,github.com/jakgibb/nagiosxi-root-rce-exploit/blob/master/exploit.php; reference:cve,2019-15949; classtype:attempted-admin; sid:2034535; rev:1; metadata:attack_target Server, created_at 2021_11_23, cve CVE_2019_15949, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_11_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Detect exploit stage 1: HTTP POST to /nagiosxi/admin/monitoringplugins.php uploading a multipart file named 'check_ping' — the malicious plugin upload step. ↗
- →Detect exploit stage 2: HTTP GET to /nagiosxi/includes/components/profile/profile.php?cmd=download immediately after a check_ping upload — this triggers getprofile.sh and executes the malicious plugin as root. ↗
- →Monitor for unexpected modification of the check_plugin binary (owner: nagios) on disk — the core privilege escalation primitive relies on replacing this executable with a malicious one. ↗
- →For older Nagios XI versions (5.2.0–5.4.13), the payload executes as the 'nagios' user; for 5.5.0–5.6.5 it executes as root. Triage privilege level of any suspicious process spawned from getprofile.sh accordingly. ↗
- →The exploit requires a valid admin session; monitor for successful logins to /nagiosxi/login.php followed immediately by plugin upload and profile download requests in the same session. ↗
- ·The Metasploit module sets HttpClientTimeout to 2 seconds for the profile download request because the connection must be forcibly closed for the exploit to work — network sensors may log this as an anomalous abrupt TCP teardown rather than a completed response. ↗
- ·Against Nagios XI versions before 5.5.0, payload callback can take up to 5 minutes; the default WfsDelay is 300 seconds. Detection rules with short session-correlation windows may miss the full attack chain on older targets. ↗
- ·The Linux (cmd) target variant writes the payload directly via the malicious plugin without a command stager, bypassing stager-based detections; this path must be covered separately. ↗
- ·Versions of Nagios XI prior to 5.2.0 are flagged as vulnerable but are not supported by the public Metasploit module; exploitation behaviour on those versions is undocumented and may differ. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8qv6-943v-r8gm: Nagios XI before 5
ghsa_unreviewed·2022-05-24
CVE-2019-15949 [HIGH] CWE-78 GHSA-8qv6-943v-r8gm: Nagios XI before 5
Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes check_plugin, which is owned by the nagios user. A user logged into Nagios XI with permissions to modify plugins, or the nagios user on the server, can modify the check_plugin executable and insert malicious commands to execute as root.
VulnCheck
Nagios XI Remote Code Execution Vulnerability
vulncheck·2019·CVSS 8.8
CVE-2019-15949 [HIGH] CWE-78 Nagios XI Remote Code Execution Vulnerability
Nagios XI Remote Code Execution Vulnerability
Nagios XI contains a remote code execution vulnerability in which a user can modify the check_plugin executable and insert malicious commands to execute as root.
Affected: Nagios Nagios XI
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/eccfb0ae16cd; https://vulncheck.com/xdb/b3713bbd9245
Remediation Due: 2022-05-03
CISA
Nagios XI Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 8.8
CVE-2019-15949 [HIGH] CWE-78 Nagios XI Remote Code Execution Vulnerability
Vulnerability: Nagios XI Remote Code Execution Vulnerability
Affected: Nagios Nagios XI
Nagios XI contains a remote code execution vulnerability in which a user can modify the check_plugin executable and insert malicious commands to execute as root.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-15949
Remediation Due Date: 2022-05-03
Suricata
ET EXPLOIT Nagios XI <= 5.6.5 Privesc (CVE-2019-15949)
suricata·2021-11-23·CVSS 8.8
CVE-2019-15949 [HIGH] ET EXPLOIT Nagios XI <= 5.6.5 Privesc (CVE-2019-15949)
ET EXPLOIT Nagios XI [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI <= 5.6.5 Privesc (CVE-2019-15949)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name="; pcre:"/^[\s\x22\x27]*upload\b/Ri"; content:"name="; distance:0; pcre:"/^[\s\x22\x27]*uploadedfile\b/Ri"; content:"filename="; distance:0; pcre:"/^[\s\x22\x27]*check_ping\b/Ri"; content:"check_ping"; nocase; fast_pattern; reference:url,github.com/jakgibb/nagiosxi-root-rce-exploit/blob/master/exploit.php; reference:cve,2019-15949; classtype:attempted-admin; sid:2034535; rev:1; metadata:attack_target Server, created_at 2021_11_23, cve CVE_2019_15949, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_11_23, mitre
Exploit-DB
Nagios Xi 5.6.6 - Authenticated Remote Code Execution (RCE)
exploitdb·2025-04-08·CVSS 8.8
CVE-2019-15949 [HIGH] Nagios Xi 5.6.6 - Authenticated Remote Code Execution (RCE)
Nagios Xi 5.6.6 - Authenticated Remote Code Execution (RCE)
---
# Exploit Title: Nagiosxi authenticated Remote Code Execution
# Date: 17/02/2024
# Exploit Author: Calil Khalil
# Vendor Homepage: https://www.nagios.com/products/nagios-xi/
# Version: Nagios Xi 5.6.6
# Tested on: Ubuntu
# CVE : CVE-2019-15949
#
# python3 exp.py -t https:/// -b // -u user -p 'password' -lh -lp -k (ignore cert)
#
import argparse
import re
import requests
import urllib3
class Nagiosxi():
def __init__(self, target, parameter, username, password, lhost, lport, ignore_ssl):
self.url = target
self.parameter = parameter
self.username = username
self.password = password
self.lhost = lhost
self.lport = lport
self.ignore_ssl = ignore_ssl
self.login()
def upload(self, session):
print("Uploading Malicious Check Ping
Exploit-DB
Nagios XI - Authenticated Remote Command Execution (Metasploit)
exploitdb·2020-03-10
CVE-2019-15949 Nagios XI - Authenticated Remote Command Execution (Metasploit)
Nagios XI - Authenticated Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Nagios XI Authenticated Remote Command Execution',
'Description' => %q{
This module exploits a vulnerability in Nagios XI before 5.6.6 in
order to execute arbitrary commands as root.
The module uploads a malicious plugin to the Nagios XI server and then
executes this plugin by issuing an HTTP GET request to download a
system profile from the server. For all supported targets except Linux
(cmd), the module uses a command stager to write the exploit to the
target via the malicious plugin. This may not work if Nagios XI is
running in a restricted Unix environment
Metasploit
Nagios XI Prior to 5.6.6 getprofile.sh Authenticated Remote Command Execution
metasploit
Nagios XI Prior to 5.6.6 getprofile.sh Authenticated Remote Command Execution
Nagios XI Prior to 5.6.6 getprofile.sh Authenticated Remote Command Execution
This module exploits a vulnerability in the getprofile.sh script of Nagios XI prior to 5.6.6 in order to upload a malicious check_ping plugin and thereby execute arbitrary commands. For Nagios XI 5.2.0-5.4.13, the commands are run as the nagios user. For versions 5.5.0-5.6.5 the commands are run as root. Note that versions prior to 5.2.0 will still be marked as being vulnerable however this module does not presently support exploiting these targets. The module uploads a malicious check_ping plugin to the Nagios XI server via /admin/monitoringplugins.php and then executes this plugin by issuing a HTTP GET request to download a system profile from the server. For all supported targets except Linux (cmd), the modul
Metasploit
Nagios XI Scanner
metasploit
Nagios XI Scanner
Nagios XI Scanner
The module detects the version of Nagios XI applications and suggests matching exploit modules based on the version number. Since Nagios XI applications only reveal the version to authenticated users, valid credentials for a Nagios XI account are required. Alternatively, it is possible to provide a specific Nagios XI version number via the `VERSION` option. In that case, the module simply suggests matching exploit modules and does not probe the target(s).
No writeups or analysis indexed.
http://packetstormsecurity.com/files/156676/Nagios-XI-Authenticated-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/162158/Nagios-XI-getprofile.sh-Remote-Command-Execution.htmlhttps://github.com/jakgibb/nagiosxi-root-rce-exploithttp://packetstormsecurity.com/files/156676/Nagios-XI-Authenticated-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/162158/Nagios-XI-getprofile.sh-Remote-Command-Execution.htmlhttps://github.com/jakgibb/nagiosxi-root-rce-exploithttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-15949
2019-09-05
Published
2021-11-03
Added to CISA KEV
Exploited in the wild