CVE-2026-2043

HighRCE

Published: 20 February 2026

Published

20 February 2026

Modified

24 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0136 80.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2043 is a high-severity OS Command Injection (CWE-78) vulnerability in Nagios Nagios Xi. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection by requiring validation of user-supplied strings before using them in system calls within the esensors_websensor_configwizard_func method.

SI-2 Flaw Remediation good match

prevent

Mitigates the vulnerability by requiring timely identification, reporting, and correction of flaws such as this OS command injection issue through patching.

AC-6 Least Privilege partial match

prevent

Limits the impact of arbitrary code execution by ensuring the Nagios service account operates with least privilege necessary.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of a public-facing web application (Nagios web interface) via authenticated command injection (CWE-78), directly facilitating T1190 and arbitrary Unix shell command execution (T1059.004) as the Nagios service account.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Nagios Host esensors_websensor_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific flaw exists within the esensors_websensor_configwizard_func method. The…

issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28249.

Deeper analysisAI

CVE-2026-2043 is a command injection vulnerability resulting in remote code execution within the esensors_websensor_configwizard_func method of Nagios Host. The issue stems from insufficient validation of user-supplied strings before they are used in system calls, allowing arbitrary code execution on affected installations. Published on 2026-02-20, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-78 (OS Command Injection). It was originally tracked as ZDI-CAN-28249.

An authenticated remote attacker can exploit this vulnerability by supplying a malicious string to the affected method, injecting commands that execute in the context of the Nagios service account. This grants high-impact privileges, including confidentiality, integrity, and availability compromises, without requiring user interaction.

Advisories provide mitigation guidance, with Nagios releasing a patched version documented in their changelog at https://www.nagios.com/changelog/nagios-xi/nagios-xi-2026r1-0-1/. Additional details are available in the Zero Day Initiative advisory at https://www.zerodayinitiative.com/advisories/ZDI-26-072/.

Details

CWE(s): CWE-78

Affected Products

nagios

nagios xi

2026

CVEs Like This One

CVE-2025-34284Same product: Nagios Nagios Xi

CVE-2024-14005Same product: Nagios Nagios Xi

CVE-2026-2041Same product: Nagios Nagios Xi

CVE-2024-14003Same product: Nagios Nagios Xi

CVE-2020-36867Same product: Nagios Nagios Xi

CVE-2026-2042Same product: Nagios Nagios Xi

CVE-2025-34227Same product: Nagios Nagios Xi

CVE-2018-25122Same product: Nagios Nagios Xi

CVE-2013-10073Same product: Nagios Nagios Xi

CVE-2023-7317Same product: Nagios Nagios Xi

References

https://www.nagios.com/changelog/nagios-xi/nagios-xi-2026r1-0-1/
Product, Release Notes · zdi-disclosures@trendmicro.com
https://www.zerodayinitiative.com/advisories/ZDI-26-072/
Third Party Advisory · zdi-disclosures@trendmicro.com