CVE-2018-25122
Published: 30 October 2025
Summary
CVE-2018-25122 is a high-severity OS Command Injection (CWE-78) vulnerability in Nagios Nagios Xi. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of input validation on attacker-controlled inputs in the Component Download handler, preventing OS command injection.
Mitigates the insufficient output encoding in unsafe command construction by filtering outputs before execution.
Remediates the specific command injection flaw by applying vendor patches or upgrading to Nagios XI 5.4.13 or later.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE via OS command injection (T1059.004) in a network-accessible web application (T1190), enabling privilege escalation from low-privilege authenticated access (T1068).
NVD Description
Nagios XI versions prior to 5.4.13 contain a remote code execution vulnerability in the Component Download page. The download/import handler used unsafe command construction with attacker-controlled input and lacked sufficient validation and output encoding, allowing an authenticated user to inject…
more
commands or otherwise execute arbitrary code with the privileges of the application service.
Deeper analysisAI
CVE-2018-25122 is a remote code execution vulnerability affecting Nagios XI versions prior to 5.4.13, specifically in the Component Download page. The issue stems from unsafe command construction in the download/import handler, which processes attacker-controlled input without sufficient validation or output encoding. This flaw, classified under CWE-78 (OS Command Injection), enables command injection and arbitrary code execution with the privileges of the Nagios XI application service. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise.
An authenticated user with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting malicious input during component download or import operations, the attacker can inject operating system commands, leading to arbitrary code execution on the server hosting Nagios XI. Successful exploitation grants the attacker the same privileges as the application service, potentially allowing full control over the monitoring system and any connected infrastructure.
Mitigation involves upgrading to Nagios XI version 5.4.13 or later, as detailed in the official Nagios changelog at https://www.nagios.com/changelog/nagios-xi/. Additional guidance on the vulnerability and remediation is available in the VulnCheck advisory at https://www.vulncheck.com/advisories/nagios-xi-component-download-page-rce.
Details
- CWE(s)