CVE-2026-2041

High

Published: 20 February 2026

Published

20 February 2026

Modified

24 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0157 81.6th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Nagios Host zabbixagent_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific flaw exists within the zabbixagent_configwizard_func method. The…

issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28250.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the lack of proper validation of user-supplied strings before using them to execute system calls, preventing command injection.

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and correction of the specific command injection flaw through timely patching as advised in the CVE.

AC-6 Least Privilege partial match

prevent

Limits the impact of arbitrary code execution by ensuring the Nagios service account operates with least privileges necessary.

Security SummaryAI

CVE-2026-2041 is a command injection vulnerability resulting in remote code execution within the zabbixagent_configwizard_func method of Nagios Host. The flaw stems from insufficient validation of user-supplied strings before they are used in system calls, allowing arbitrary code execution on affected installations. Published on 2026-02-20, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-78 (OS Command Injection). It was reported as ZDI-CAN-28250.

Remote attackers with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Authentication is required, but successful exploitation enables execution of arbitrary code in the context of the Nagios service account, granting high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged security scope (S:U).

Advisories from the Zero Day Initiative (https://www.zerodayinitiative.com/advisories/ZDI-26-073/) and the Nagios changelog (https://www.nagios.com/changelog/nagios-xi/nagios-xi-2026r1-0-1/) provide further details on the issue, including patch information for mitigation.

Details

CWE(s): CWE-78

Affected Products

nagios

nagios xi

2026

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Command injection vulnerability in Nagios web config wizard enables remote authenticated exploitation of a public-facing application (T1190) for OS command execution via Unix shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.nagios.com/changelog/nagios-xi/nagios-xi-2026r1-0-1/
Product, Release Notes · zdi-disclosures@trendmicro.com
https://www.zerodayinitiative.com/advisories/ZDI-26-073/
Third Party Advisory · zdi-disclosures@trendmicro.com