Rapid7 Vulnerability & Exploit Database

Nagios XI Prior to 5.8.0 - Plugins Filename Authenticated Remote Code Exection

Back to Search

Nagios XI Prior to 5.8.0 - Plugins Filename Authenticated Remote Code Exection



This module exploits a command injection vulnerability (CVE-2020-35578) in the `/admin/monitoringplugins.php` page of Nagios XI versions prior to 5.8.0 when uploading plugins. Successful exploitation allows an authenticated admin user to achieve remote code execution as the `apache` user by uploading a malicious plugin. Valid credentials for a Nagios XI admin user are required. This module has been successfully tested against Nagios versions XI 5.3.0 and 5.7.5, both running on CentOS 7.


  • Haboob Team
  • Erik Wynter




x86, x64, cmd


Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce
msf exploit(nagios_xi_plugins_filename_authenticated_rce) > show targets
msf exploit(nagios_xi_plugins_filename_authenticated_rce) > set TARGET < target-id >
msf exploit(nagios_xi_plugins_filename_authenticated_rce) > show options
    ...show and set options...
msf exploit(nagios_xi_plugins_filename_authenticated_rce) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security