cbcvebase.
CVE-2020-5792
published 2020-10-20

CVE-2020-5792: Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and…

PriorityP266high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
60.97%
99.0th percentile
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.

Affected

1 ranges
VendorProductVersion rangeFixed in
nagiosnagios_xi

Detection & IOCsextracted from sources · hover to see the quote

path/nagiosxi/includes/components/nxti/index.php
path/usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/snmplog.php
filenamesnmplog.php
path/nagiosxi/includes/components/autodiscovery/jobs/
  • Monitor HTTP requests to /nagiosxi/includes/components/nxti/index.php with mode=customTrap and custom-community parameter containing '-d' and '-L f' flags, which indicate snmptrap argument injection for file write.
  • Alert on creation of new PHP files under /usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/ — this directory is the drop location for web shells written via the snmptrap argument injection.
  • Detect HTTP GET requests to /nagiosxi/includes/components/autodiscovery/jobs/*.php with a query parameter used as a command (e.g., ?cmd= or ?c=), indicating web shell execution following successful exploitation.
  • Look for hex-encoded PHP webshell payloads in snmptrap variablebindings values — the hex string 3c3f706870 decodes to '<?php', indicating PHP shell injection via SNMP variable bindings.
  • Flag HTTP requests to /nagiosxi/includes/components/nxti/index.php where the custom-community parameter contains shell argument flags such as '-d' and '-L', as escapeshellcmd() does not prevent argument injection.
  • ·Exploitation requires an authenticated admin session; the vulnerability cannot be triggered by unauthenticated users directly — however, it can be chained with the CSRF vulnerability (CVE-2020-5790) to achieve unauthenticated exploitation if an admin clicks a malicious link.
  • ·The PHP escapeshellcmd() function used to sanitize the snmptrap command is insufficient to prevent argument injection — only escapeshellarg() applied per-argument would prevent this class of attack.
  • ·The Metasploit module targets Nagios XI versions 5.5.0 through 5.7.3; detections and mitigations should cover this entire version range.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.