← back
CVE-2019-15949

CVE-2019-15949

CVSS 8.8 HIGHEPSS 77.7%● KEVCWE-78
Vexday Risk Score
100Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 8.8EPSS 77.7%KEV simPoC públicaNuclei Metasploit simPatch
Lifecycle
29 Jul 2019Metasploit module available
05 Sep 2019Published on NVD
10 Mar 2020Public PoC
03 Nov 2021Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short

Nagios XI before version 5.6.6 allows attackers with admin or nagios user access to execute arbitrary commands as root by modifying a plugin file that gets run with elevated privileges. This can lead to complete system compromise.

Technical detail

CWE-78 (OS Command Injection) via unsafe sudo execution in getprofile.sh script. An authenticated user with plugin modification permissions, or the nagios system user, can alter the check_plugin executable to inject malicious commands that execute as root through a passwordless sudo entry when a system profile is downloaded via profile.php?cmd=download.

Summary generated and translated by AI from the official description.
Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes check_plugin, which is owned by the nagios user. A user logged into Nagios XI with permissions to modify plugins, or the nagios user on the server, can modify the check_plugin executable and insert malicious commands to execute as root.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found5
githubgithub.com/plur1bu5/Nagios-CVE-2019-15949-RCE0cve_referencepacketstormsecurity.com/files/156676/Nagios-XI-Authenticated-Remote-Command-Execution.htmlunverifiedcve_referencepacketstormsecurity.com/files/162158/Nagios-XI-getprofile.sh-Remote-Command-Execution.htmlunverifiedexploitdbwww.exploit-db.com/exploits/48191unverifiedexploitdbwww.exploit-db.com/exploits/52138unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/156676/Nagios-XI-Authenticated-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/162158/Nagios-XI-getprofile.sh-Remote-Command-Execution.htmlhttps://github.com/jakgibb/nagiosxi-root-rce-exploithttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-15949