CVE-2019-15949

HIGH KEV

Nagios XI < 5.6.6 - Authenticated Remote Command Execution via getprofile.sh

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-15949 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 6 public exploits from researchers including Metasploit, Calil Khalil, plur1bu5, including a Metasploit module auxiliary/scanner/http/nagios_xi_scanner.

AI-analyzed exploit summary This Metasploit module exploits CVE-2019-15949 in Nagios XI before 5.6.6 to achieve authenticated remote command execution as root by uploading a malicious plugin and triggering its execution via a system profile download request.

Description

Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes check_plugin, which is owned by the nagios user. A user logged into Nagios XI with permissions to modify plugins, or the nagios user on the server, can modify the check_plugin executable and insert malicious commands to execute as root.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/48191

This Metasploit module exploits CVE-2019-15949 in Nagios XI before 5.6.6 to achieve authenticated remote command execution as root by uploading a malicious plugin and triggering its execution via a system profile download request.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Nagios XI < 5.6.6
Auth required
Prerequisites: Valid administrative credentials for Nagios XI · Access to the Nagios XI web interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Calil Khalil · textwebappsmultiple
https://www.exploit-db.com/exploits/52138

This exploit leverages an authenticated file upload vulnerability in Nagios XI to achieve remote code execution by uploading a malicious plugin disguised as 'check_ping'. The payload establishes a reverse shell to the attacker's specified IP and port.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Nagios XI 5.6.6
Auth required
Prerequisites: Valid credentials for Nagios XI · Network access to the target · Listener setup for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by plur1bu5 · poc
https://github.com/plur1bu5/Nagios-CVE-2019-15949-RCE

This repository contains a functional Python exploit for CVE-2019-15949, which leverages a privilege escalation vulnerability in Nagios XI <= 5.6.5. The exploit uploads a malicious plugin via the web interface and triggers it to achieve root RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Nagios XI <= 5.6.5
Auth required
Prerequisites: Valid credentials for Nagios XI web interface · Permissions to manage plugins · Network access to the target
devstral-2 · analyzed Mar 18, 2026 Full analysis →
metasploit SCANNER
by Erik Wynter · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/nagios_xi_scanner.rb

This Metasploit module scans Nagios XI installations to detect their version and suggests matching exploit modules based on the version number. It requires authentication or a manually provided version to function.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Nagios XI
Auth required
Prerequisites: valid Nagios XI credentials or a specific version number
devstral-2 · analyzed Jun 05, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote-auth
https://github.com/hadrian3689/nagiosxi_5.6.6

This repository contains a functional Python exploit for CVE-2019-15949, an authenticated remote code execution vulnerability in Nagios XI. The exploit authenticates to the target, uploads a malicious plugin, and executes a reverse shell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Nagios XI 5.6.6
Auth required
Prerequisites: valid credentials for Nagios XI · network access to the target · listener setup for reverse shell
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Jak Gibb, Erik Wynter · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce.rb

This Metasploit module exploits an authenticated RCE vulnerability in Nagios XI prior to 5.6.6 by uploading a malicious 'check_ping' plugin via the monitoring plugins interface and executing it through a GET request to the profile download endpoint.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Nagios XI < 5.6.6
Auth required
Prerequisites: Valid administrative credentials for Nagios XI · Network access to the Nagios XI server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 8.8
EPSS 0.8692
EPSS Percentile 99.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-11-03
VulnCheck KEV 2021-11-03
InTheWild.io 2021-07-23
ENISA EUVD EUVD-2019-6850
CWE
CWE-78
Status published
Products (1)
nagios/nagios_xi < 5.6.6
Published Sep 05, 2019
KEV Added Nov 03, 2021
Tracked Since Feb 18, 2026