CVE-2021-37223: Nagios Enterprises NagiosXI <= 5.8.4 contains a Server-Side Request Forgery (SSRF) vulnerability in schedul...
Nagios Enterprises NagiosXI <= 5.8.4 contains a Server-Side Request Forgery (SSRF) vulnerability in schedulereport.php. Any authenticated user can create scheduled reports containing PDF screenshots of any view in the NagiosXI application. Due to lack of input sanitisation, the target page can be replaced with an SSRF payload to access internal resources or disclose local system files.
Security readout for executives and security teams
Plain-English summary
CVE-2021-37223 lets an authenticated Nagios XI user abuse scheduled report generation to make the server request unintended targets. In business terms, a user with access to Nagios XI may be able to reach internal resources or expose local files through the reporting feature. Public source data does not provide CVSS scoring or confirmed active exploitation.
Executive priority
Treat this as a focused remediation item for environments using Nagios XI. It is not supported as actively exploited by the supplied sources, but authenticated SSRF in monitoring infrastructure can expose sensitive internal systems.
Technical view
Nagios XI through 5.8.4 is described as vulnerable to SSRF in schedulereport.php. Scheduled reports generate PDF screenshots of application views; insufficient input sanitisation allows the target page to be replaced with an SSRF payload. The reported impact is access to internal resources or disclosure of local system files by any authenticated user.
Likely exposure
Exposure is most likely where Nagios XI <= 5.8.4 is deployed and non-admin or broadly trusted users can authenticate and create scheduled reports.
Exploitation context
The source bundle says exploitation requires authentication. CISA KEV status is false in the supplied data, and no cited source confirms active exploitation. The impact depends on Nagios XI network reachability and local file access context.
Researcher notes
The public data is sparse: no CVSS vector, CWE mapping, detailed patch note, or exploit telemetry is included. The strongest technical claims are authenticated SSRF in schedulereport.php, affected Nagios XI <= 5.8.4, and potential internal resource or local file disclosure.
Mitigation direction
Identify all Nagios XI deployments and versions.
Check Nagios vendor guidance and changelog for the fixed release path.
Upgrade affected Nagios XI instances according to vendor guidance.
Restrict scheduled report creation to trusted users where possible.
Limit Nagios XI server egress to sensitive internal services.
Validation and detection
Confirm whether any instance runs Nagios XI <= 5.8.4.
Review which roles can create scheduled reports.
Check scheduled report records for unusual internal or local targets.
Verify remediation against the Nagios XI changelog.
Confirm no unnecessary internal services are reachable from Nagios XI.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
description · low confidence lookup
Cloud metadata behavior lookup
The CVE wording references SSRF or metadata access, so cloud discovery and credential material review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
1ADP providers
2Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Oct 5, 2021, 11:59 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.