CVE-2024-24401
published 2024-02-26CVE-2024-24401: SQL Injection vulnerability in Nagios XI 2024R1.01 allows a remote attacker to execute arbitrary code via a crafted payload to the monitoringwizard.php…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
45.88%
98.7th percentile
SQL Injection vulnerability in Nagios XI 2024R1.01 allows a remote attacker to execute arbitrary code via a crafted payload to the monitoringwizard.php component.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nagios | nagios_xi | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SQL injection attempts against monitoringwizard.php via path traversal-style injection marker in the URL (e.g., '/1*' pattern) with parameters update=1&nextstep=2&wizard=mysqlserver ↗
- →Monitor for POST requests to /nagiosxi/includes/components/ccm/index.php with a tfCommand field containing 'nc -e' (netcat reverse shell), indicating post-exploitation command creation ↗
- →Alert on GET requests to command_test.php with cmd=test&mode=test parameters, which triggers execution of attacker-created Nagios commands ↗
- →Detect rapid sequential API calls: POST to /nagiosxi/api/v1/authenticate followed by GET to /nagiosxi/login.php?token= then POST to /nagiosxi/api/v1/system/user with auth_level=admin — indicative of automated admin account creation ↗
- →The exploit targets the 'id' parameter in monitoringwizard.php using SQLMap techniques ET (Error-based and Time-based blind) against the nagiosxi database table xi_users to extract API keys ↗
- ·The exploit targets Nagios XI version 2024R1.01 specifically; the SQL injection is in the monitoringwizard.php component and requires an authenticated (non-admin) session to exploit ↗
- ·The exploit hardcodes a mandatory intermediate password change to 'mawk' for the initial low-privilege user before proceeding with SQLMap extraction — detection logic should account for this forced password-change step ↗
- ·The exploit extracts the 'Nagios Administrator' API key from the xi_users table to create a new admin account via the REST API — the admin key is the pivot point between SQLi and full RCE ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2024-02-26
Published