cbcvebase.
CVE-2021-37343
published 2021-08-13

CVE-2021-37343: A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post authenticated RCE under security context…

PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
23.82%
97.5th percentile
A path traversal vulnerability exists in Nagios XI below version 5.8.5 AutoDiscovery component and could lead to post authenticated RCE under security context of the user running Nagios.

Affected

1 ranges
VendorProductVersion rangeFixed in
nagiosnagios_xi< 5.8.55.8.5

Detection & IOCsextracted from sources · hover to see the quote

url/nagiosxi/includes/components/autodiscovery/?mode=newjob
bytes
job=|2e 2e 2f|
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI Post-Auth Path Traversal (CVE-2021-37343)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/nagiosxi/includes/components/autodiscovery/?mode=newjob"; fast_pattern; http.request_body; content:"job=|2e 2e 2f|"; reference:url,claroty.com/2021/09/21/blog-research-securing-network-management-systems-nagios-xi/; reference:cve,2021-37343; classtype:attempted-admin; sid:2034017; rev:2; metadata:affected_product Nagios, created_at 2021_09_23, cve CVE_2021_37343, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
  • Look for POST requests to the AutoDiscovery endpoint with a path traversal sequence (URL-encoded `../`) in the `job` body parameter, indicating exploitation of the newjob mode.
  • The exploit creates an autodiscovery job where the `id` field contains a path traversal to a writable and remotely accessible directory, and the `custom_ports` field contains the PHP web shell payload.
  • A cron file is created on disk at the attacker-controlled path with the web shell embedded; monitor for unexpected PHP files written to web-accessible directories by the Nagios process.
  • Post-exploitation execution context is `www-data`; alert on unexpected outbound connections or shell spawns from the web server process after a successful upload.
  • Use the Nagios XI Scanner module to fingerprint the installed version; versions below 5.8.5 are vulnerable and should be prioritised for patching or network-level blocking.
  • ·Exploitation requires prior authentication as an administrator; unauthenticated access alone is insufficient to trigger the path traversal.
  • ·The Snort/ET rule (sid:2034017) targets inbound traffic to $HOME_NET/$HTTP_SERVERS; ensure these variables are correctly scoped to cover Nagios XI hosts, otherwise the rule will not fire.
  • ·The Metasploit module deletes the web shell and removes the autodiscovery job after use by default, which may limit forensic artefacts available post-compromise.
  • ·Version detection via the scanner module requires valid Nagios XI credentials; without them, the version must be supplied manually via the `VERSION` option, reducing automation accuracy.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.