CVE-2018-8733

CRITICAL

Nagios XI 5.2.0-5.4.12 - Unauthenticated SQL Injection via Core Config Manager

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2018-8733. PoCs published by Metasploit, Jared Arave, Cale Smith, Benny Husted, Jared Arave, including Metasploit module exploits/linux/http/nagios_xi_chained_rce_2_electric_boogaloo.

AI-analyzed exploit summary This Metasploit module exploits multiple vulnerabilities in Nagios XI (CVE-2018-8733, CVE-2018-8734, CVE-2018-8735, CVE-2018-8736) to achieve remote root access via SQL injection, API key enumeration, and command injection.

Description

Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability.

Exploits (4)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/44969

This Metasploit module exploits multiple vulnerabilities in Nagios XI (CVE-2018-8733, CVE-2018-8734, CVE-2018-8735, CVE-2018-8736) to achieve remote root access via SQL injection, API key enumeration, and command injection.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Nagios XI 5.2.6-5.4.12
No auth needed
Prerequisites: Network access to Nagios XI web interface · Vulnerable version of Nagios XI
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Jared Arave · pythonwebappsphp
https://www.exploit-db.com/exploits/44560

This exploit chains multiple vulnerabilities (CVE-2018-8733, CVE-2018-8734, CVE-2018-8735, CVE-2018-8736) in Nagios XI to achieve remote root access. It starts by changing the database user to root, extracts API keys via SQL injection, adds an administrative user, and executes a reverse shell or custom command.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Nagios XI versions 5.2.[6-9], 5.3, 5.4
No auth needed
Prerequisites: Network access to the target Nagios XI instance · Nagios XI version 5.2.[6-9], 5.3, or 5.4
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC MANUAL
by Cale Smith, Benny Husted, Jared Arave · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/nagios_xi_chained_rce_2_electric_boogaloo.rb

This Metasploit module exploits a chain of vulnerabilities in Nagios XI (CVE-2018-8733, CVE-2018-8734, CVE-2018-8735, CVE-2018-8736) to achieve remote root access. It involves SQL injection, API key enumeration, administrative user addition, and command injection via authenticated sessions.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Nagios XI 5.2.6-5.4.12
No auth needed
Prerequisites: Network access to Nagios XI web interface · Vulnerable version of Nagios XI
devstral-2 · analyzed Apr 23, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Francesco Oddo, wvu · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/nagios_xi_chained_rce.rb

This Metasploit module exploits a chain of vulnerabilities in Nagios XI (CVE-2018-8733, CVE-2018-8734, CVE-2018-8735, CVE-2018-8736) including SQL injection, authentication bypass, file upload, and command injection to achieve remote code execution as root. It automates the entire exploit chain from token extraction to payload delivery.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Nagios XI <= 5.2.7
No auth needed
Prerequisites: Network access to Nagios XI web interface · Valid user ID in the database (default: 1)
devstral-2 · analyzed Apr 23, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44560/
Release Notes, Vendor Advisory x_refsource_misc
https://www.nagios.com/downloads/nagios-xi/change-log/
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://blog.redactedsec.net/exploits/2018/04/26/nagios.html
Release Notes, Vendor Advisory x_refsource_misc
https://assets.nagios.com/downloads/nagiosxi/CHANGES-5.TXT
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44969/

Scores

CVSS v3 9.8
EPSS 0.7710
EPSS Percentile 99.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
nagios/nagios_xi 5.2.0 - 5.4.13
Published Apr 18, 2018
Tracked Since Feb 18, 2026