Search
On this page ▾
CVE-2021-25298 — Nagios XI OS Command Injection

CVE-2021-25298

Nagios XI Network Monitoring — Authenticated OS Command Injection via SNMP/CGI Interface Enables Root Code Execution on Monitoring Server
⚠️ CVSS 3.1  8.8 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is Nagios XI's SNMP and CGI Interface?

Nagios XI's nagios.cgi and related CGI interface handle monitoring check execution, status retrieval, and configuration interactions between the Nagios XI web frontend and the Nagios Core backend. SNMP (Simple Network Management Protocol) configuration in Nagios XI allows monitoring of network devices via SNMP queries — with the wizard accepting network device addresses and community strings that are used to construct SNMP check commands. Parameters passed to the Nagios CGI interface or SNMP wizard that are incorporated into OS commands without sanitization create command injection vulnerabilities: any authenticated user who can send crafted requests to these endpoints can inject commands that execute with the elevated privileges of the Nagios process on the monitoring server.

Overview

CVE-2021-25298 is an OS command injection vulnerability in Nagios XI's SNMP monitoring configuration or nagios.cgi interface. Parameters accepted by the vulnerable endpoint are incorporated into OS commands executed on the Nagios XI server without proper sanitization, allowing an authenticated low-privilege attacker to achieve root-level code execution on the monitoring server. CVE-2021-25298 is the third in a cluster of three Nagios XI command injection vulnerabilities (25296, 25297, 25298) discovered by Rana Khalil of Cisco Talos, all patched in Nagios XI 5.7.5 (February 2021), and all added to CISA KEV in January 2022.

Affected Versions

Product Vulnerable Fixed
Nagios XI before 5.7.5 Yes Nagios XI 5.7.5 (February 2021)

Technical Details

  • Root cause: OS command injection (CWE-78) in Nagios XI's nagios.cgi or SNMP configuration handler — a parameter controlling SNMP target addressing, community string, or check configuration is passed to an OS command without sanitization, enabling injection of arbitrary shell commands via metacharacters
  • Low-privilege exploitation: PR:L — authenticated Nagios XI users regardless of role can access the affected CGI or wizard endpoint; the injection does not require administrative privileges within Nagios XI
  • Root execution context: Nagios Core backend processes, including those invoked by the CGI interface, run with root or elevated OS privileges; injected commands inherit these privileges
  • Monitoring infrastructure access: Post-exploitation of the Nagios XI server provides access to all SNMP community strings, device credentials, network topology data, and check scripts stored on the monitoring server — a comprehensive enumeration of the monitored network
  • Three concurrent CVEs, equal severity: CVE-2021-25298 is independently exploitable and achieves the same root RCE outcome as CVE-2021-25296 and CVE-2021-25297; all three must be patched; any single unpatched wizard provides full compromise

Discovery

Discovered by Rana Khalil of Cisco Talos as part of a Nagios XI security review that identified OS command injection across multiple configuration wizard and CGI endpoints. Patched in Nagios XI 5.7.5.

Exploitation Context

See CVE-2021-25296 for the broader exploitation context of Nagios XI monitoring server vulnerabilities. The three Nagios XI command injection CVEs (25296, 25297, 25298) are treated as a unit by both defenders and attackers: a Nagios XI server running a version before 5.7.5 is vulnerable to root RCE via any of the three vectors, and patching requires upgrading to 5.7.5 to address all three simultaneously.

Remediation

  1. Update Nagios XI to version 5.7.5 or later — the single update patches all three command injection CVEs (25296, 25297, 25298)
  2. Restrict Nagios XI web interface network access: block access from untrusted networks and the internet; only administrator workstations should reach the Nagios XI management interface
  3. Restrict which user roles can access configuration wizards and CGI endpoints within Nagios XI's access control settings
  4. Rotate all credentials stored in Nagios XI (SNMP community strings, SSH keys, device passwords) after patching — these credentials should be treated as potentially compromised on any unpatched installation
  5. Review the Nagios XI host for signs of compromise: unexpected user accounts, modified cron jobs, unusual processes, unauthorized SSH authorized_keys entries
  6. Consider deploying Nagios XI behind a VPN or bastion host rather than directly internet-accessible

Key Details

PropertyValue
CVE ID CVE-2021-25298
Vendor / Product Nagios — Nagios XI
NVD Published2021-02-15
NVD Last Modified2025-11-03
CVSS 3.1 Score8.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SeverityHIGH
CISA KEV Added2022-01-18
CISA KEV Deadline2022-02-01
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-02-01. Apply updates per vendor instructions.

Timeline

DateEvent
2021-02-13Nagios XI 5.7.5 released patching CVE-2021-25296, CVE-2021-25297, and CVE-2021-25298
2021-02-15CVE published; Rana Khalil (Cisco Talos) credited with discovery
2022-01-18Added to CISA Known Exploited Vulnerabilities catalog
2022-02-01CISA BOD 22-01 remediation deadline

References

ResourceType
Nagios XI Changelog — Security Fix Vendor Advisory
NVD — CVE-2021-25298 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML