Cyber Resilience

CVE-2019-15949

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 05 September 2019

Published
05 September 2019
Modified
06 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8692 99.5th percentile
Risk Priority 90 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-15949 is a high-severity OS Command Injection (CWE-78) vulnerability in Nagios Nagios Xi. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-5 (Access Restrictions for Change).

Deeper analysis

Nagios XI versions prior to 5.6.6 contain an OS command injection vulnerability (CWE-78) that permits remote command execution as root. The flaw centers on the getprofile.sh script, which is invoked when an authenticated user requests a system profile download via profile.php?cmd=download. This script is executed with root privileges through a passwordless sudo entry and in turn runs the check_plugin binary, which is writable by the nagios user.

An attacker who can log in as the nagios user on the underlying server, or who obtains administrative access through the Nagios XI web interface and holds plugin-modification rights, can replace check_plugin with a malicious executable. When the profile download action is triggered, the injected commands execute with root privileges, yielding full system control. The vulnerability carries a CVSS 3.1 score of 8.8.

Public exploit code for this issue has been released on Packet Storm and GitHub, confirming that working proof-of-concept attacks exist against unpatched installations. No official vendor advisory text is referenced in the supplied sources; the only indicated remediation is upgrading to Nagios XI 5.6.6 or later.

EU & UK References

Vulnerability details

Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile…

more

(profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes check_plugin, which is owned by the nagios user. A user logged into Nagios XI with permissions to modify plugins, or the nagios user on the server, can modify the check_plugin executable and insert malicious commands to execute as root.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

nagios
nagios xi
≤ 5.6.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforcing least privilege would eliminate the passwordless sudo entry that lets getprofile.sh run the nagios-writable check_plugin as root.

prevent

Access restrictions on change would block the nagios user (or web admin) from replacing the check_plugin executable with malicious code.

detect

Integrity verification of check_plugin would detect unauthorized modification before the profile-download action triggers root-level execution.

References