Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Privilege Escalation, RCE Flaws Patched in Nagios Core

Attackers can chain a couple of serious flaws affecting Nagios Core to gain complete control of systems running vulnerable versions of the product, a researcher has warned.

Attackers can chain a couple of serious flaws affecting Nagios Core to gain complete control of systems running vulnerable versions of the product, a researcher has warned.

Nagios Core is a free and open-source alerting and monitoring software for servers, networks and applications. Dawid Golunski of Legal Hackers discovered that the product has two vulnerabilities that can be used for remote code execution and privilege escalation.

The first vulnerability discovered by the expert, CVE-2016-9565, has been described as a remote code execution issue. Golunski noticed that the application’s web interface is affected by a flaw that can be exploited by a man-in-the-middle (MitM) attacker via the RSS feed feature.

According to the researcher, an attacker who can impersonate the RSS feed server – via DNS poisoning, domain hijacking or other techniques – can read and write arbitrary files on the vulnerable server and execute code in the context of a Nagios user.

Once this level of access has been obtained, an attacker can exploit a second weakness discovered by Golunski (CVE-2016-9566) to elevate privileges to root, which can result in the targeted system getting completely compromised.

This second vulnerability exists due to the way the Nagios Core daemon handles log files. An attacker who gains access to the system via CVE-2016-9566 can modify the log file and point it to a malicious file, which results in elevated privileges after a restart of Negios. The researcher pointed out that the attacker can force a restart by using the “SHUTDOWN_PROGRAM” command.

CVE-2016-9565 was initially patched in August with the release of Nagios Core 4.2.0, but the fix turned out to be incomplete. A proper patch was rolled out on October 24 with the release of version 4.2.2. CVE-2016-9566 was resolved earlier this month in Nagios Core 4.2.4. Proof-of-concept (PoC) exploits have been made available for both vulnerabilities.

This is not the first time Golunski has found vulnerabilities that can be chained for a high impact exploit. The expert recently disclosed several MySQL flaws that could have been leveraged to execute arbitrary code with elevated privileges.

Related Reading: Attackers Can Target Enterprises via GroupWise Collaboration Tool

Related Reading: Serious Vulnerabilities Found in McAfee Enterprise Product

Related Reading: Organizations Exposed to Attacks by Flaws in Kerio Firewalls

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.