Cyber Resilience

CVE-2021-25297

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 15 February 2021

Published
15 February 2021
Modified
03 November 2025
KEV Added
18 January 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8187 99.2th percentile
Risk Priority 87 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-25297 is a high-severity OS Command Injection (CWE-78) vulnerability in Nagios Nagios Xi. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Nagios XI version xi-5.7.5 contains an OS command injection vulnerability in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php. The flaw stems from insufficient sanitization of user-controlled input supplied over a single HTTP request and is tracked under CWE-78 with a CVSS 3.1 score of 8.8.

An authenticated attacker with network access can submit a crafted request to the affected component and execute arbitrary operating-system commands on the Nagios XI server, resulting in full confidentiality, integrity, and availability impact without user interaction.

Public exploit code has been posted to Packet Storm and a detailed bug report is available on GitHub; the Nagios versions page and vendor site provide the authoritative locations for subsequent software updates.

EU & UK References

Vulnerability details

Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios…

more

XI server.

CWE(s)
KEV Date Added
18 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

nagios
nagios xi
5.5.6 — 5.7.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted input to block the OS command injection in switch.inc.php.

prevent

Limits privileges of authenticated Nagios users so a successful injection cannot achieve full system compromise.

prevent

Mandates timely application of vendor patches that eliminate the CWE-78 flaw in the affected configwizard component.

References