cbcvebase.
CVE-2021-25299
published 2021-02-15

CVE-2021-25299: Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS). The vulnerability exists in the file /usr/local/nagiosxi/html/admin/sshterm.php due to…

PriorityP357medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
96.86%
99.9th percentile
Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS). The vulnerability exists in the file /usr/local/nagiosxi/html/admin/sshterm.php due to improper sanitization of user-controlled input. A maliciously crafted URL, when clicked by an admin user, can be used to steal his/her session cookies or it can be chained with the previous bugs to get one-click remote command execution (RCE) on the Nagios XI server.

Affected

1 ranges
VendorProductVersion rangeFixed in
nagiosnagios_xi

Detection & IOCsextracted from sources · hover to see the quote

path/usr/local/nagiosxi/html/admin/sshterm.php
url/nagiosxi/admin/sshterm.php?url=javascript:alert(document.domain)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS [Perch Security] Nagios XI Web SSH Terminal sshterm Cross-Site Scripting (CVE-2021-25299)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nagiosxi/admin/sshterm.php?"; startswith; fast_pattern; content:"url="; nocase; pcre:"/^.+(script|onerror|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,www.connectwise.com/resources/cve-spotlight-nagios-xi-cve-2021-25296-25297-25298-25299; reference:cve,2021-25299; classtype:web-application-attack; sid:2059094; rev:2; metadata:affected_product Nagios, attack_target Web_Server, tls_state plaintext, created_at 2025_01_09, cve CVE_2021_25299, deployment Perimeter, deployment Internal, deployment Datacenter, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_01_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Look for GET requests to /nagiosxi/admin/sshterm.php with a 'url=' parameter containing JavaScript pseudo-protocol or event handler payloads (e.g., javascript:, onerror=, onload=, style=).
  • Exploitation requires an authenticated admin session; monitor for login to /nagiosxi/login.php followed immediately by a crafted GET to sshterm.php with a malicious url= parameter.
  • The attack can be chained with other Nagios XI bugs for one-click RCE; treat any XSS hit on sshterm.php as a high-severity event.
  • Use Shodan/FOFA queries to identify exposed Nagios XI instances: title:"Nagios XI" / http.title:"nagios xi" / title="nagios xi" / app="nagios-xi".
  • ·The Snort/ET rule (sid:2059094) only covers plaintext HTTP traffic (tls_state: plaintext); HTTPS-wrapped exploitation will evade this rule without SSL inspection.
  • ·Exploitation requires the victim to be an authenticated admin user who clicks a maliciously crafted URL; unauthenticated exploitation is not directly possible.
  • ·The Nuclei template extracts the nsp (nonce/session protection) token via regex from the login page body before submitting credentials; detection logic must account for this multi-step authentication flow (3 requests total).

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.