Search
On this page ▾
CVE-2021-25297 — Nagios XI OS Command Injection

CVE-2021-25297

Nagios XI Network Monitoring — Authenticated OS Command Injection via LDAP Configuration Wizard Enables Root Code Execution on Monitoring Server
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is Nagios XI's LDAP Configuration Wizard?

Nagios XI includes configuration wizards that allow administrators to set up monitoring for various system types. The LDAP configuration wizard allows Nagios XI to monitor LDAP directories (Active Directory, OpenLDAP) by querying them via LDAP check commands. The wizard accepts parameters — including the LDAP server hostname or IP address — that are used to construct monitoring check commands executed on the Nagios XI server. When these parameters are not properly sanitized, they create OS command injection vulnerabilities: an attacker can inject shell commands into the LDAP check parameters, causing arbitrary commands to execute on the Nagios XI server with the elevated privileges of the Nagios backend process.

Overview

CVE-2021-25297 is an OS command injection vulnerability in Nagios XI's LDAP configuration wizard. The ldap_check parameter accepted by the wizard is incorporated into an OS command executed on the Nagios XI server without sanitization — an authenticated attacker with low-privilege credentials (PR:L) can inject arbitrary shell commands via this parameter, achieving root-level code execution on the monitoring server. CVE-2021-25297 is part of a three-CVE cluster (25296, 25297, 25298) discovered by Rana Khalil of Cisco Talos and patched in Nagios XI 5.7.5. All three affect different configuration wizards and were added to CISA KEV simultaneously in January 2022.

Affected Versions

Product Vulnerable Fixed
Nagios XI before 5.7.5 Yes Nagios XI 5.7.5 (February 2021)

Technical Details

  • Root cause: OS command injection (CWE-78) in Nagios XI's LDAP wizard backend — the ldap_check parameter (controlling what LDAP server and query to test) is passed to a shell command used to verify LDAP connectivity without sanitizing shell metacharacters; injected sequences (;cmd, &&cmd, `cmd`) execute alongside the intended LDAP check command
  • Low-privilege exploitation: PR:L — any authenticated Nagios XI user can access the LDAP wizard endpoint and trigger the injection regardless of their role; Nagios XI's fine-grained access control does not prevent low-privilege users from reaching configuration wizard endpoints by default
  • Root execution: Backend Nagios XI processes run with elevated OS privileges to execute monitoring checks and write configuration; injected commands inherit these privileges, achieving root-level code execution
  • LDAP context adds credential exposure: LDAP wizard functionality likely involves stored LDAP/Active Directory credentials within Nagios; post-exploitation can retrieve these AD credentials for lateral movement
  • Same impact as CVE-2021-25296/25298: All three Nagios XI command injection CVEs achieve equivalent root RCE outcomes through different injection points — patching one does not protect against the others; Nagios XI 5.7.5 patches all three simultaneously

Discovery

Discovered by Rana Khalil of Cisco Talos alongside CVE-2021-25296 and CVE-2021-25298. Patched in Nagios XI 5.7.5. The simultaneous discovery of three command injection flaws in different Nagios XI wizards reflects a systematic code review finding unsanitized parameter usage throughout the wizard framework.

Exploitation Context

See CVE-2021-25296 for the broader exploitation context of Nagios XI monitoring server vulnerabilities. CVE-2021-25297's LDAP wizard vector is particularly relevant in enterprise environments where Nagios XI is integrated with Active Directory for authentication or monitoring — LDAP credentials stored in Nagios may provide an attacker direct access to AD after exploiting this vulnerability. Network monitoring servers are among the highest-value pivot points in enterprise networks.

Remediation

  1. Update Nagios XI to version 5.7.5 or later — patches CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298 together
  2. Restrict Nagios XI web interface to authorized administrators — prevent low-privilege users from accessing configuration wizard endpoints
  3. Restrict network access to the Nagios XI management interface; internet-accessible Nagios XI deployments should be firewalled immediately
  4. Rotate LDAP/Active Directory credentials stored in Nagios XI configurations after patching
  5. Review the Nagios XI server for unauthorized changes: new admin accounts, modified cron jobs, unexpected SSH keys, unusual outbound connections
  6. Apply patches for all three wizard CVEs simultaneously — each independently provides root RCE

Key Details

PropertyValue
CVE ID CVE-2021-25297
Vendor / Product Nagios — Nagios XI
NVD Published2021-02-15
NVD Last Modified2025-11-03
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SeverityHIGH
CISA KEV Added2022-01-18
CISA KEV Deadline2022-02-01
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-02-01. Apply updates per vendor instructions.

Timeline

DateEvent
2021-02-13Nagios XI 5.7.5 released patching CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298
2021-02-15CVE published; Rana Khalil (Cisco Talos) credited with discovery
2022-01-18Added to CISA Known Exploited Vulnerabilities catalog
2022-02-01CISA BOD 22-01 remediation deadline

References

ResourceType
Nagios XI Changelog — Security Fix Vendor Advisory
NVD — CVE-2021-25297 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML