Cybersecurity researchers have disclosed details about 13 vulnerabilities in the Nagios network monitoring application. The vulnerabilities could be abused by an adversary to hijack the infrastructure without operator intervention. The issues were discovered and reported to Nagios in October 2020, following which they were remediated in November. An attacker can use the vulnerabilities to compromise the telco, and then every other monitored customer site, CEO Adi Ashkenazy said in an email to The Hacker News via email. The attack scenario works by targeting a Nagios XI server at the customer site and using CVE-28648 and CVE-2020-28910 to gain RCE.
Source: https://thehackernews.com/2021/05/details-disclosed-on-critical-flaws.html