CVE-2013-10073
Published: 30 October 2025
Summary
CVE-2013-10073 is a high-severity OS Command Injection (CWE-78) vulnerability in Nagios Nagios Xi. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation and sanitization of user-controlled inputs to the Auto-Discovery tool before passing to the shell, directly preventing command injection.
Mandates identification, prioritization, and remediation of the shell injection flaw via patching to Nagios XI 2012R1.6 or later.
Limits damage from injected commands by restricting the Nagios XI application service to least privileges necessary for its functions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Shell command injection in network-accessible Nagios XI Auto-Discovery tool (PR:L) enables exploitation of public-facing application (T1190), Unix Shell execution (T1059.004), and privilege escalation (T1068).
NVD Description
Nagios XI versions prior to 2012R1.6 contain a shell command injection vulnerability in the Auto-Discovery tool. User-controlled input is passed to a shell without adequate sanitation or argument quoting, allowing an authenticated user with access to discovery functionality to execute…
more
arbitrary commands with the privileges of the application service.
Deeper analysisAI
CVE-2013-10073 is a shell command injection vulnerability (CWE-78) affecting Nagios XI versions prior to 2012R1.6, specifically in the Auto-Discovery tool. The flaw arises because user-controlled input is passed directly to a shell without adequate sanitization or argument quoting, enabling command execution. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.
An authenticated attacker with access to the discovery functionality can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows execution of arbitrary commands with the privileges of the Nagios XI application service, potentially leading to full system compromise depending on the service's permissions.
Mitigation details are available in the Nagios XI changelog at https://www.nagios.com/changelog/nagios-xi/ and the Vulncheck advisory at https://www.vulncheck.com/advisories/nagios-xi-auto-discovery-shell-command-injection, which cover patches and remediation steps; affected users should upgrade to Nagios XI 2012R1.6 or later.
Details
- CWE(s)