🚨 CRITICAL ALERT: Active Zero-Day Exploits

Immediate threat detected: Five critical vulnerabilities with CVSS scores ≥ 8.0 are actively exploited in the wild, including unauthenticated remote command execution and authenticated OS command injection targeting Nagios XI, Sitecore XP, and D-Link devices. All are listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming ongoing attacks and urgent need for patching[1][2][4].

Critical Vulnerabilities (CVSS >= 8.0)

  • CVE-2021-25296 (CVSS: 8.8): Nagios XI version xi-5.7.5 is affected by OS command injection via improper sanitization in /usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php. Authenticated attackers can execute arbitrary OS commands with a single HTTP request. Exploited in active cryptomining attacks[1][3]. View NVD | CISA KEV
  • CVE-2021-25297 (CVSS: 8.8): Nagios XI version xi-5.7.5 is affected by OS command injection in /usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php. Authenticated users can inject commands via unvalidated input, leading to full server compromise. Listed in CISA KEV since 2022-01-18[1][3]. View NVD | CISA KEV
  • CVE-2021-25298 (CVSS: 8.8): Nagios XI version xi-5.7.5 is vulnerable in /usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php. Authenticated attackers can execute arbitrary OS commands through unsanitized input, enabling remote code execution. Active exploitation confirmed in CISA KEV[2][5]. View NVD | CISA KEV
  • CVE-2021-42237 (CVSS: 9.8): Sitecore XP 7.5 to 8.2 Update-7 is vulnerable to insecure deserialization, allowing remote command execution without authentication. No credentials or special configuration required—exploitable by any attacker. Active in CISA KEV since 2022-03-25[1][3]. View NVD | CISA KEV
  • CVE-2022-26258 (CVSS: 9.8): D-Link DIR-820L 1.05B03 contains remote command execution (RCE) via HTTP POST to get set ccp. Unauthenticated attackers can execute arbitrary commands. Confirmed in CISA KEV since 2022-09-08[1][3]. View NVD | CISA KEV

âš¡ Immediate Actions Required

Upgrade immediately: Nagios XI users must upgrade to version 5.8.5 or later to patch all three OS command injection vulnerabilities[2][5]. Sitecore XP users must apply the official security patch for CVE-2021-42237 to block unauthenticated deserialization attacks[1]. D-Link DIR-820L users must upgrade to the latest firmware or disable HTTP POST access to get set ccp[3].

Block exposure: Prevent Nagios XI and Sitecore XP from being exposed to the public internet[5]. Use WAF rules to filter malicious POST requests targeting D-Link devices[3].

Monitor for compromise: Scan for indicators of cryptomining, unexpected shell processes, or unauthorized system calls[4]. Deploy EDR solutions to detect RCE attempts in real time.

These vulnerabilities are actively exploited—delaying patching risks full system compromise. Prioritize remediation within 24 hours.