CVE-2021-25298

HIGH KEV NUCLEI

Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection

Title source: metasploit

Exploitation Summary

CVE-2021-25298 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 18, 2022. EIP tracks 1 public exploit from researchers including Matthew Mathur, including a Metasploit module exploits/linux/http/nagios_xi_configwizards_authenticated_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2021-25298 (and related CVEs) in Nagios XI by leveraging authenticated command injection vulnerabilities in configuration wizards. It supports multiple payloads and targets Linux systems, demonstrating reliable remote code execution as the apache user.

Description

Nagios XI version xi-5.7.5 is affected by OS command injection. The vulnerability exists in the file /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php due to improper sanitization of authenticated user-controlled input by a single HTTP request, which can lead to OS command injection on the Nagios XI server.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Matthew Mathur · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/nagios_xi_configwizards_authenticated_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2021-25298 (and related CVEs) in Nagios XI by leveraging authenticated command injection vulnerabilities in configuration wizards. It supports multiple payloads and targets Linux systems, demonstrating reliable remote code execution as the apache user.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Nagios XI versions 5.5.6 to 5.7.5

Auth required

Prerequisites: Valid Nagios XI credentials · Access to the Nagios XI web interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 23, 2026 Full analysis →

Nuclei Templates (1)

Nagios XI 5.5.6-5.7.5 - Authenticated Remote Command Injection

HIGHVERIFIEDby k0pak4

Shodan: title:"Nagios XI" || http.title:"nagios xi"

FOFA: title="nagios xi" || app="nagios-xi"

References (7)

Core 7

Core References

Product

http://nagios.com

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/161561/Nagios-XI-5.7.5-Remote-Code-Execution.html

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/170924/Nagios-XI-5.7.5-Remote-Code-Execution.html

Product

https://assets.nagios.com/downloads/nagiosxi/versions.php

Exploit, Third Party Advisory

https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs/blob/main/README.md

View Exploit ZIP pw:eip

Exploit, Third Party Advisory

https://www.fastly.com/blog/anatomy-of-a-command-injection-cve-2021-25296-7-8-with-metasploit-module-and

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-25298

Scores

CVSS v3 8.8

EPSS 0.7516

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2022-01-18

VulnCheck KEV 2021-06-01

InTheWild.io 2021-07-01

ENISA EUVD EUVD-2021-12198

CWE

CWE-78

Status published

Products (1)

nagios/nagios_xi 5.5.6 - 5.7.5

Published Feb 15, 2021

KEV Added Jan 18, 2022

Tracked Since Feb 18, 2026