CVE-2020-36868: 
Nagios XI vulnerability analysis and mitigation

Nagios XI versions prior to 5.7.3 contain a privilege escalation vulnerability in the getprofile.sh helper script. The vulnerability was discovered and disclosed on October 30, 2025, identified as CVE-2020-36868. The affected system is Nagios XI monitoring software versions below 5.7.3 (VulnCheck Advisory).

The vulnerability exists in the getprofile.sh helper script which performs profile retrieval and initialization routines. The script uses insecure file/command handling and has insufficient validation of attacker-controlled inputs. The vulnerability has received a CVSS v4.0 base score of 8.5 HIGH with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The weakness types associated with this vulnerability are CWE-73 (External Control of File Name or Path) and CWE-250 (Execution with Unnecessary Privileges) (VulnCheck Advisory).

A successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands or modify privileged files, resulting in privilege escalation. The vulnerability has high impact ratings for Vulnerability Confidentiality (VC), Vulnerability Integrity (VI), and Vulnerability Availability (VA), indicating severe potential consequences across all three security aspects (VulnCheck Advisory).

The vulnerability has been fixed in Nagios XI version 5.7.3. Users should upgrade to this version or later to mitigate the vulnerability (Nagios Changelog).