cbcvebase.
CVE-2026-2041
published 2026-02-20

CVE-2026-2041: Nagios Host zabbixagent_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute…

PriorityP184high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
74.61%
99.4th percentile
Nagios Host zabbixagent_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific flaw exists within the zabbixagent_configwizard_func method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28250.

Affected

2 ranges
VendorProductVersion rangeFixed in
nagioshost
nagiosnagios_xi

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for exploitation of the zabbixagent_configwizard_func method in Nagios XI, which passes unsanitized user-supplied input directly to a system call — flag any unexpected child processes spawned by the Nagios service account originating from this code path.
  • Alert on code execution in the context of the Nagios service account (e.g., nagios, www-data) that originates from the zabbixagent config wizard functionality.
  • Authentication is required to exploit this vulnerability; correlate any exploitation attempts with a preceding authenticated session to Nagios XI.
  • ·No public exploit is currently available for CVE-2026-2041, and no fix has been released as of the source publication dates (Feb 24 – Mar 02, 2026). Detection must rely on behavioral/heuristic methods until a patch or PoC is published.
  • ·The vulnerability is tracked internally by ZDI as ZDI-CAN-28250; cross-reference this identifier for any future advisories or PoC releases.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.