CVE-2020-36856: 
Nagios XI vulnerability analysis and mitigation

Nagios XI versions prior to 5.6.14 contain an authenticated remote command execution vulnerability in the CCM command_test.php script. The vulnerability was discovered and disclosed on October 30, 2025, and is tracked as CVE-2020-36856. The affected software is Nagios XI, a network monitoring solution, in versions before 5.6.14 (VulnCheck Advisory).

The vulnerability stems from insufficient validation of the 'address' parameter in the CCM command_test.php script. This allows an authenticated user with access to the Core Config Manager to inject shell metacharacters that are incorporated into backend command invocations. The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and has received a CVSS v4.0 Base Score of 9.4 CRITICAL with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H (VulnCheck Advisory).

Successful exploitation of this vulnerability enables arbitrary command execution with the privileges of the Nagios XI web application user. This access can be leveraged to execute commands on the underlying XI host, modify system configuration, or fully compromise the host (VulnCheck Advisory).

The vulnerability has been patched in Nagios XI version 5.6.14. Users are strongly recommended to upgrade to this version or later to address the security issue (Nagios Changelog).