CVE-2020-36863
Published: 30 October 2025
Summary
CVE-2020-36863 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Nagios Nagios Xi. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the unrestricted file upload by enforcing validation of file types and content at the audio import input point to block dangerous PHP files.
Mandates secure configuration settings for the web server to prevent execution of files stored in the Audio Import directory within the webroot.
Limits system functionality to essentials, prohibiting PHP execution capabilities in non-essential upload directories like Audio Import.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in a public-facing web application (Nagios XI) enables exploitation of public-facing application (T1190) and deployment/execution of web shells via uploaded PHP files (T1100) for RCE.
NVD Description
Nagios XI versions prior to 5.7.2 allow PHP files to be uploaded to the Audio Import directory and executed from that location. The upload handler did not properly restrict file types or enforce storage outside of the webroot, and the…
more
web server permitted execution within the upload directory. An authenticated attacker with access to the audio import feature could upload a crafted PHP file and then request it to achieve remote code execution with the privileges of the application service.
Deeper analysisAI
CVE-2020-36863 is an unrestricted file upload vulnerability in Nagios XI versions prior to 5.7.2. The issue resides in the Audio Import directory, where the upload handler fails to properly restrict file types or enforce storage outside of the webroot. Additionally, the web server configuration permits execution of uploaded files from this location, enabling PHP files to be uploaded and executed.
An authenticated attacker with access to the audio import feature can exploit this vulnerability by uploading a crafted PHP file to the Audio Import directory and then requesting it via the web server. Successful exploitation leads to remote code execution with the privileges of the Nagios XI application service. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).
Mitigation guidance from the Nagios XI changelog and Vulncheck advisory recommends upgrading to Nagios XI version 5.7.2 or later, which resolves the issue by implementing proper file type restrictions and storage enforcement in the upload handler.
Details
- CWE(s)