CVE-2020-35578

HIGH

Nagios XI < 5.8.0 - Authenticated OS Command Injection via Plugin Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2020-35578. PoCs published by Haboob Team, Erik Wynter, Haboob Team, Erik Wynter, including Metasploit module auxiliary/scanner/http/nagios_xi_scanner.

AI-analyzed exploit summary This exploit targets CVE-2020-35578 in Nagios XI 5.7.x, leveraging authenticated file upload to achieve remote code execution via a base64-encoded reverse shell payload. It bypasses CSRF protection by extracting the NSP token and abuses the monitoring plugins upload functionality.

Description

An issue was discovered in the Manage Plugins page in Nagios XI before 5.8.0. Because the line-ending conversion feature is mishandled during a plugin upload, a remote, authenticated admin user can execute operating-system commands.

Exploits (3)

exploitdb WORKING POC
by Haboob Team · pythonwebappsphp
https://www.exploit-db.com/exploits/49422

This exploit targets CVE-2020-35578 in Nagios XI 5.7.x, leveraging authenticated file upload to achieve remote code execution via a base64-encoded reverse shell payload. It bypasses CSRF protection by extracting the NSP token and abuses the monitoring plugins upload functionality.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Nagios XI 5.7.x
Auth required
Prerequisites: Valid Nagios XI credentials · Network access to target · Listener for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit SCANNER
by Erik Wynter · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/nagios_xi_scanner.rb

This Metasploit module scans Nagios XI installations to detect their version and suggests matching exploit modules based on the version number. It requires authentication or a manually provided version to function.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Nagios XI
Auth required
Prerequisites: valid Nagios XI credentials or a specific version number
devstral-2 · analyzed Jun 05, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Haboob Team, Erik Wynter · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/nagios_xi_plugins_filename_authenticated_rce.rb

This Metasploit module exploits CVE-2020-35578, a command injection vulnerability in Nagios XI's plugin upload functionality. It allows authenticated admin users to achieve remote code execution by uploading a malicious plugin with a crafted filename.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Nagios XI prior to 5.8.0
Auth required
Prerequisites: Valid Nagios XI admin credentials · Network access to the Nagios XI web interface
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://www.nagios.com/downloads/nagios-xi/change-log/
Vendor Advisory x_refsource_confirm
https://www.nagios.com/products/security/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/160948/Nagios-XI-5.7.x-Remote-Code-Execution.html
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/162207/Nagios-XI-Remote-Code-Execution.html

Scores

CVSS v3 7.2
EPSS 0.8192
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (1)
nagios/nagios_xi < 5.8.0
Published Jan 13, 2021
Tracked Since Feb 18, 2026