CVE-2018-25122

CVE-2018-25122 is a remote code execution vulnerability affecting Nagios XI versions prior to 5.4.13, specifically in the Component Download page. The issue stems from unsafe command construction in the download/import handler, which processes attacker-controlled input without sufficient validation or output encoding. This flaw, classified under CWE-78 (OS Command Injection), enables command injection and arbitrary code execution with the privileges of the Nagios XI application service. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise.

An authenticated user with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting malicious input during component download or import operations, the attacker can inject operating system commands, leading to arbitrary code execution on the server hosting Nagios XI. Successful exploitation grants the attacker the same privileges as the application service, potentially allowing full control over the monitoring system and any connected infrastructure.

Mitigation involves upgrading to Nagios XI version 5.4.13 or later, as detailed in the official Nagios changelog at https://www.nagios.com/changelog/nagios-xi/. Additional guidance on the vulnerability and remediation is available in the VulnCheck advisory at https://www.vulncheck.com/advisories/nagios-xi-component-download-page-rce.