Login Sign Up

CVE-2020-5791

7.2 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote authenticated admin users in Nagios XI 5.7.3 to execute arbitrary operating system commands with apache user privileges. It's an OS command injection flaw that enables attackers to run commands on the underlying system. Only Nagios XI installations with admin users are affected.

💻 Affected Systems

Products:
  • Nagios XI
Versions: 5.7.3
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated admin user access; default Nagios XI installations include admin accounts.

📦 What is this software?

Nagios Xi by Nagios

View all CVEs affecting Nagios Xi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through privilege escalation from apache user to root, leading to data theft, lateral movement, or ransomware deployment.

🟠

Likely Case

Unauthorized command execution allowing data exfiltration, backdoor installation, or monitoring system manipulation.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and monitoring are in place, potentially containing damage to the Nagios server.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Multiple public exploit scripts available; requires admin credentials but exploitation is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.7.4 and later

Vendor Advisory: https://www.nagios.com/downloads/nagios-xi/change-log/

Restart Required: Yes

Instructions:

1. Backup current Nagios XI configuration and data. 2. Download Nagios XI 5.7.4 or later from Nagios website. 3. Follow Nagios XI upgrade documentation. 4. Restart Nagios services after upgrade.

🔧 Temporary Workarounds

Remove Admin Access

linux

Temporarily disable or remove admin user accounts until patching can be completed.

# Edit Nagios XI user configuration to remove admin privileges

Network Segmentation

linux

Restrict access to Nagios XI admin interface to trusted IP addresses only.

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

  • Implement strict network access controls to limit Nagios XI admin interface access
  • Enable detailed logging and monitoring for command execution attempts

🔍 How to Verify

Check if Vulnerable:

Check Nagios XI version via web interface or command: grep 'product_version' /usr/local/nagiosxi/html/config.inc.php

Check Version:

grep 'product_version' /usr/local/nagiosxi/html/config.inc.php

Verify Fix Applied:

Verify version is 5.7.4 or higher and test admin interface functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in Apache logs
  • Suspicious admin login patterns
  • Unexpected system commands in Nagios logs

Network Indicators:

  • Unusual outbound connections from Nagios server
  • Command injection patterns in HTTP requests

SIEM Query:

source="apache" AND (url="*admin*" AND (cmd="*|*" OR cmd="*;*" OR cmd="*`*"))

📊 Metadata

CVE ID: CVE-2020-5791
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: October 20, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-5791, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)