Cyber Resilience

CVE-2021-25298

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 15 February 2021

Published
15 February 2021
Modified
03 November 2025
KEV Added
18 January 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7516 98.9th percentile
Risk Priority 83 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-25298 is a high-severity OS Command Injection (CWE-78) vulnerability in Nagios Nagios Xi. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

Nagios XI version xi-5.7.5 contains an OS command injection vulnerability in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php. The flaw arises from insufficient sanitization of input supplied by an authenticated user in a single HTTP request, enabling execution of arbitrary operating system commands on the Nagios XI server. The issue is tracked as CVE-2021-25298 with a CVSS 3.1 score of 8.8 and is associated with CWE-78.

An authenticated attacker with network access can exploit the weakness by submitting a crafted HTTP request to the affected component. Successful exploitation allows the attacker to run arbitrary commands on the underlying server, resulting in high impact to confidentiality, integrity, and availability without requiring user interaction.

Public references include the Nagios versions.php page for software updates along with detailed exploit descriptions on PacketStorm and GitHub that demonstrate remote code execution against version 5.7.5. No specific mitigation steps beyond upgrading are described in the provided references.

EU & UK References

Vulnerability details

Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios…

more

XI server.

CWE(s)
KEV Date Added
18 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

nagios
nagios xi
5.5.6 — 5.7.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all user-supplied input before it is used in OS commands, blocking the exact flaw in cloud-vm.inc.php.

prevent

Limits privileges of the web-server process and Nagios account so that even a successful injection yields minimal OS-level impact.

preventdetect

Can be configured to inspect and block command-execution patterns or malicious payloads submitted via HTTP to the affected wizard.

References