CVE-2026-2043

High

Published: 20 February 2026

Published

20 February 2026

Modified

24 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0136 80.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Nagios Host esensors_websensor_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific flaw exists within the esensors_websensor_configwizard_func method. The…

issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28249.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents command injection by requiring validation of user-supplied strings before using them in system calls within the esensors_websensor_configwizard_func method.

SI-2 Flaw Remediation good match

prevent

Mitigates the vulnerability by requiring timely identification, reporting, and correction of flaws such as this OS command injection issue through patching.

AC-6 Least Privilege partial match

prevent

Limits the impact of arbitrary code execution by ensuring the Nagios service account operates with least privilege necessary.

Security SummaryAI

CVE-2026-2043 is a command injection vulnerability resulting in remote code execution within the esensors_websensor_configwizard_func method of Nagios Host. The issue stems from insufficient validation of user-supplied strings before they are used in system calls, allowing arbitrary code execution on affected installations. Published on 2026-02-20, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-78 (OS Command Injection). It was originally tracked as ZDI-CAN-28249.

An authenticated remote attacker can exploit this vulnerability by supplying a malicious string to the affected method, injecting commands that execute in the context of the Nagios service account. This grants high-impact privileges, including confidentiality, integrity, and availability compromises, without requiring user interaction.

Advisories provide mitigation guidance, with Nagios releasing a patched version documented in their changelog at https://www.nagios.com/changelog/nagios-xi/nagios-xi-2026r1-0-1/. Additional details are available in the Zero Day Initiative advisory at https://www.zerodayinitiative.com/advisories/ZDI-26-072/.

Details

CWE(s): CWE-78

Affected Products

nagios

nagios xi

2026

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of a public-facing web application (Nagios web interface) via authenticated command injection (CWE-78), directly facilitating T1190 and arbitrary Unix shell command execution (T1059.004) as the Nagios service account.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.nagios.com/changelog/nagios-xi/nagios-xi-2026r1-0-1/
Product, Release Notes · zdi-disclosures@trendmicro.com
https://www.zerodayinitiative.com/advisories/ZDI-26-072/
Third Party Advisory · zdi-disclosures@trendmicro.com