LiveActive security incident?Get immediate response
CVE Record

CVE-2018-25122: Nagios XI < 5.4.13 Component Download Page RCE

Nagios XI versions prior to 5.4.13 contain a remote code execution vulnerability in the Component Download page. The download/import handler used unsafe command construction with attacker-controlled input and lacked sufficient validation and output encoding, allowing an authenticated user to inject commands or otherwise execute arbitrary code with the privileges of the application service.

HighCVSS 8.7Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

Nagios XI is monitoring software used by IT teams to watch networks and servers. Versions before 5.4.13 contain a flaw in the Component Download page that lets a logged-in user run their own commands on the server. Because Nagios often runs with broad access, a low-privileged insider or anyone with stolen credentials could take control of monitoring infrastructure and pivot deeper.

Executive priority

Treat this as a high-priority patching item for any team running Nagios XI. Compromise of monitoring infrastructure typically yields broad visibility into the environment and a strong pivot point, so schedule the upgrade in the next maintenance window and tighten access in the meantime.

Technical view

The Component Download/import handler in Nagios XI builds shell commands using attacker-controlled input without sufficient validation or output encoding (CWE-78, OS Command Injection). An authenticated user can inject operating system commands that execute with the privileges of the Nagios application service. CVSS 4.0 base score is 8.7 (AV:N/AC:L/PR:L/UI:N/VC:H/VI:H/VA:H), indicating network-reachable, low-complexity, low-privilege exploitation with high impact to confidentiality, integrity, and availability.

Likely exposure

Organizations running Nagios XI versions earlier than 5.4.13 are exposed, particularly where the web interface is reachable by employees, contractors, or any account on the system. Internet-exposed Nagios XI portals and shared monitoring tenants increase blast radius. The vulnerability bundle does not enumerate specific patched build numbers beyond the 5.4.13 threshold.

Exploitation context

Sources do not list this CVE in CISA KEV, and no public reports of in-the-wild exploitation are cited. Exploitation requires authentication, limiting opportunistic abuse, but it is well within reach for malicious insiders or attackers reusing phished credentials. A VulnCheck third-party advisory documents the issue, indicating the technique is known to researchers and defenders.

Researcher notes

CWE-78 OS command injection in an authenticated web handler; CVSS 4.0 vector indicates network attack vector with low privileges and no user interaction. Bundle cites Nagios changelog and a VulnCheck advisory but no exploit PoC, KEV listing, or EPSS data. Confirm the precise vulnerable parameter and patched commit by reviewing vendor release notes and the third-party advisory before drafting detections.

Mitigation direction

  • Upgrade Nagios XI to version 5.4.13 or later per the vendor changelog.
  • Restrict Nagios XI web access to trusted networks and authenticated administrators only.
  • Audit and rotate Nagios XI user credentials; remove unused or shared accounts.
  • Run the Nagios service under a least-privilege account and isolate the host.
  • Monitor for unexpected child processes spawned by the Nagios web service.

Validation and detection

  • Identify all Nagios XI instances and record their exact version from the admin console.
  • Compare installed versions against 5.4.13; flag any earlier build as vulnerable.
  • Review web server and application logs for anomalous Component Download or import requests.
  • Check process and audit logs for shell or command execution under the Nagios service account.
  • Confirm post-upgrade by verifying the version banner and re-running the inventory.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-78: Command execution behavior lookup

Command injection weaknesses can lead defenders to review execution techniques and command interpreter telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2018-25122 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.7 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
3Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.7CVSS 4.0HighCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NPrimary CVE score

Vulnerability scoring details

Base CVSS 4.0 score

8.7High
CVSS 4.0 vector shape for CVE-2018-25122Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
NagiosXI0unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-78 · source CWE mapping

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.