CVE-2020-36856
Published: 30 October 2025
Summary
CVE-2020-36856 is a high-severity OS Command Injection (CWE-78) vulnerability in Nagios Nagios Xi. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 38.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of the 'address' parameter in command_test.php to block shell metacharacter injection into backend command invocations.
Mandates timely remediation of the specific OS command injection flaw via upgrade to Nagios XI 5.6.14 or equivalent patching.
Enforces least privilege on the Nagios XI web application user to restrict the scope of arbitrary commands executed on the host.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables authenticated remote command execution via OS command injection (CWE-78) in a web application component, directly facilitating exploitation of remote services (T1210) and execution via Unix Shell (T1059.004).
NVD Description
Nagios XI versions prior to 5.6.14 contain an authenticated remote command execution vulnerability in the CCM command_test.php script. Insufficient validation of the `address` parameter allows an authenticated user with access to the Core Config Manager to inject shell metacharacters that…
more
are incorporated into backend command invocations. Successful exploitation enables arbitrary command execution with the privileges of the Nagios XI web application user and may be leveraged to execute commands on the underlying XI host, modify system configuration, or fully compromise the host.
Deeper analysisAI
CVE-2020-36856 is an authenticated remote command execution vulnerability affecting Nagios XI versions prior to 5.6.14. The issue resides in the Core Config Manager (CCM) component's command_test.php script, where insufficient validation of the `address` parameter permits an attacker to inject shell metacharacters. These metacharacters are incorporated into backend command invocations, classified under CWE-78 (OS Command Injection), with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated user with access to the Core Config Manager can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows arbitrary command execution with the privileges of the Nagios XI web application user, enabling attackers to run commands on the underlying host, modify system configurations, or achieve full host compromise.
Nagios advisories recommend upgrading to Nagios XI version 5.6.14 or later to mitigate the vulnerability, as detailed in the official changelog and security product pages. Additional analysis is available from VulnCheck, which covers the authenticated RCE via the command_test.php address parameter.
Details
- CWE(s)