Cyber Resilience

CVE-2021-25296

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 15 February 2021

Published
15 February 2021
Modified
03 November 2025
KEV Added
18 January 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9329 99.8th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-25296 is a high-severity an unspecified weakness vulnerability in Nagios Nagios Xi. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

Nagios XI version xi-5.7.5 is affected by an OS command injection vulnerability in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php. The flaw arises from improper sanitization of input supplied by authenticated users in a single HTTP request, allowing arbitrary operating system commands to be executed on the Nagios XI server.

Authenticated attackers with network access can exploit the issue without user interaction to achieve remote code execution, resulting in complete loss of confidentiality, integrity, and availability on the affected server.

Public proof-of-concept code for remote code execution against this version has been released on PacketStorm Security, and additional technical details are hosted in a GitHub repository documenting Nagios XI bugs. Nagios references its versions page and main site for obtaining updated releases.

EU & UK References

Vulnerability details

Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios…

more

XI server.

CWE(s)
KEV Date Added
18 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

nagios
nagios xi
5.5.6 — 5.7.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all user-supplied input before it is used in OS commands, blocking the injection vector in windowswmi.inc.php.

prevent

Limits privileges of the web-server/Nagios process so that even a successful command injection yields only minimal OS access rather than full server compromise.

prevent

Mandates prompt application of vendor patches that eliminate the unsanitized input path in the Windows WMI configuration wizard.

References