CVE-2018-15708

CRITICAL

Nagios XI Magpie_debug.php Root Remote Code Execution

Title source: metasploit

Exploitation Summary

EIP tracks 4 public exploits for CVE-2018-15708. PoCs published by Chris Lyne, lkduy2602, Chris Lyne (@lynerc), Guillaume André (@yaumn_), bcoles, including Metasploit module exploits/linux/http/nagios_xi_magpie_debug.

AI-analyzed exploit summary This exploit leverages CVE-2018-15710 (and CVE-2018-15708) to achieve remote code execution and privilege escalation on Nagios XI versions 2012r1.0 to 5.5.6. It uses a self-signed certificate to serve a malicious PHP file via an HTTP server, then exploits MagpieRSS to write the file to the target system, leading to arbitrary command execution and root access via sudo misconfigurations.

Description

Snoopy 1.0 in Nagios XI 5.5.6 allows remote unauthenticated attackers to execute arbitrary commands via a crafted HTTP request.

Exploits (4)

exploitdb WORKING POC

by Chris Lyne · pythonwebappslinux

https://www.exploit-db.com/exploits/46221

View Code ZIP pw:eip

This exploit leverages CVE-2018-15710 (and CVE-2018-15708) to achieve remote code execution and privilege escalation on Nagios XI versions 2012r1.0 to 5.5.6. It uses a self-signed certificate to serve a malicious PHP file via an HTTP server, then exploits MagpieRSS to write the file to the target system, leading to arbitrary command execution and root access via sudo misconfigurations.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Nagios XI 2012r1.0 to 5.5.6

No auth needed

Prerequisites: Network access to Nagios XI instance · MagpieRSS debug script accessible · Outbound connectivity from target to attacker's HTTP server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER

by lkduy2602 · poc

https://github.com/lkduy2602/Detecting-CVE-2018-15708-Vulnerabilities

View Code ZIP pw:eip

This repository contains a Python script that detects potential exploitation attempts of CVE-2018-15708 by monitoring network traffic for specific TCP flags and window sizes. It logs and emails alerts when suspicious patterns are detected.

Classification

Scanner 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Network devices vulnerable to CVE-2018-15708

No auth needed

Prerequisites: Network access to monitor traffic · Python with Scapy and colorama libraries

MITRE ATT&CK

T1040 - Network Sniffing

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

rubyremotelinux

https://www.exploit-db.com/exploits/47039

View Code ZIP pw:eip

This Metasploit module exploits CVE-2018-15708 (unauthenticated RCE via magpie_debug.php) and CVE-2018-15710 (local privilege escalation) to achieve a root reverse shell on Nagios XI 5.5.6. It uploads a webshell and meterpreter payload, then escalates privileges using autodiscovery or NSE scripts.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Nagios XI 5.5.6

No auth needed

Prerequisites: Network access to Nagios XI server · Publicly reachable IP for callback

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 19, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Chris Lyne (@lynerc), Guillaume André (@yaumn_), bcoles · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/nagios_xi_magpie_debug.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2018-15708 (unauthenticated RCE) and CVE-2018-15710 (local privilege escalation) in Nagios XI <= 5.5.6 to achieve root-level command execution. It uploads a PHP web shell and a Meterpreter payload to writable directories, then escalates privileges via sudo misconfigurations.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Nagios XI <= 5.5.6

No auth needed

Prerequisites: Network access to Nagios XI web interface (port 443/HTTPS) · Publicly reachable IP for callback

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/46221/

Exploit, Third Party Advisory x_refsource_misc

https://www.tenable.com/security/research/tra-2018-37

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/153433/Nagios-XI-Magpie_debug.php-Root-Remote-Code-Execution.html

Scores

CVSS v3 9.8

EPSS 0.9134

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published

Products (1)

nagios/nagios_xi 5.5.6

Published Nov 14, 2018

Tracked Since Feb 18, 2026