CVE-2018-8733

CRITICAL

Nagios XI <5.4.13 - Auth Bypass

Title source: llm

Description

Authentication bypass vulnerability in the core config manager in Nagios XI 5.2.x through 5.4.x before 5.4.13 allows an unauthenticated attacker to make configuration changes and leverage an authenticated SQL injection vulnerability.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotelinux

https://www.exploit-db.com/exploits/44969

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by Jared Arave · pythonwebappsphp

https://www.exploit-db.com/exploits/44560

View Code ZIP pw:eip

metasploit WORKING POC MANUAL

by Cale Smith, Benny Husted, Jared Arave · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/nagios_xi_chained_rce_2_electric_boogaloo.rb

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Francesco Oddo, wvu · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/nagios_xi_chained_rce.rb

View Code ZIP pw:eip

References (6)

[Release Notes, Vendor Advisory] https://assets.nagios.com/downloads/nagiosxi/CHANGES-5.TXT

[Exploit, Technical Description, Third Party Advisory] https://blog.redactedsec.net/exploits/2018/04/26/nagios.html

[Third Party Advisory] https://gist.github.com/caleBot/f0a93b5a98574393e0139104eacc2d0f

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/44560/

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/44969/

[Release Notes, Vendor Advisory] https://www.nagios.com/downloads/nagios-xi/change-log/

Scores

CVSS v3 9.8

EPSS 0.7710

EPSS Percentile 99.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

nagios/nagios_xi 5.2.0 - 5.4.13

Published Apr 18, 2018

Tracked Since Feb 18, 2026