← Retour aux CVEs
CVE-2019-15949
HIGHCISA KEV8.8
Description
Nagios XI before 5.6.6 allows remote command execution as root. The exploit requires access to the server as the nagios user, or access as the admin user via the web interface. The getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), is executed as root via a passwordless sudo entry; the script executes check_plugin, which is owned by the nagios user. A user logged into Nagios XI with permissions to modify plugins, or the nagios user on the server, can modify the check_plugin executable and insert malicious commands to execute as root.
Details CVE
Score CVSS v3.18.8
SeveriteHIGH
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisLOW
Interaction utilisateurNONE
Publie9/5/2019
Derniere modification11/6/2025
Sourcekev
Observations honeypot0
CISA KEV
FournisseurNagios
ProduitNagios XI
Nom vulnerabiliteNagios XI Remote Code Execution Vulnerability
Date ajout KEV2021-11-03
Date limite remediation2022-05-03
Utilise dans ransomwareUnknown
Produits affectes
nagios:nagios_xi
Faiblesses (CWE)
CWE-78CWE-78
References
http://packetstormsecurity.com/files/156676/Nagios-XI-Authenticated-Remote-Command-Execution.html(cve@mitre.org)
http://packetstormsecurity.com/files/162158/Nagios-XI-getprofile.sh-Remote-Command-Execution.html(cve@mitre.org)
https://github.com/jakgibb/nagiosxi-root-rce-exploit(cve@mitre.org)
http://packetstormsecurity.com/files/156676/Nagios-XI-Authenticated-Remote-Command-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/162158/Nagios-XI-getprofile.sh-Remote-Command-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/jakgibb/nagiosxi-root-rce-exploit(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-15949(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.