Linuxfabrik monitoring-plugins CVE-2026-52817
HIGHSeverity by source
Local escalation requiring prior control of the nagios user (PR:L), no interaction, and a one-line deterministic PoC (AC:L) yielding full root (C/I/A:H).
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
1DescriptionCVE.org
Summary
In the Debian.sudoers file, apt-get is allowed for the nagios user. The full command including the arguments are not enforced and can therefore be choosen arbitrarily. This allows to easily get a root shell as the nagios user:
PoC
By choosing a particular argument, you can get (as a nagios user) a root shell:
sudo apt-get update -o APT::Update::Pre-Invoke::="/bin/sh"Since the nagious user can use sudo to run apt-get as root, the resulting shell is also running as root.
Impact
The vulnerability is a local privilege escalation, impacting users who use the provided sudoers file. It requires that an attacker already compromised the nagios account (which is quite a high barrier to be honest).
Fix
Since only one place where apt-get is currently used (in deb-updates) was found, it should be enough to allow only the specific arguments used there.
Here an example how the line in the sudoers file could look like:
/usr/lib64/nagios/plugins/strongswan-connections,\
/usr/lib64/nagios/plugins/systemd-unit,\
/usr/bin/apt-get update --quiet 2AnalysisAI
Local privilege escalation in Linuxfabrik monitoring-plugins arises from the shipped Debian.sudoers file, which grants the nagios user passwordless sudo to apt-get without constraining arguments (CWE-88 argument injection). Any attacker who already controls the nagios account can run 'sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh' to spawn a root shell. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target host has installed the provided Debian.sudoers file granting the nagios user passwordless sudo to apt-get, AND that the attacker has already obtained execution as the nagios user - this prior-compromise requirement is the principal limiting factor, as stated by the reporter. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector, EPSS score, KEV listing, or SSVC decision data was provided, so quantitative signals are absent and severity must be inferred from the description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has already compromised the nagios service account - for example via a vulnerable monitoring check, a leaked SSH key, or a foothold on the host - runs 'sudo apt-get update -o APT::Update::Pre-Invoke::="/bin/sh"', which apt-get executes as root before performing the update, dropping the attacker into an interactive root shell. A working PoC is published in the vendor advisory, making exploitation trivial and reliable once the nagios account is held. |
| Remediation | The primary fix is to replace the permissive 'apt-get' sudoers entry with a fully-qualified command line matching only the arguments the suite actually uses, i.e. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running Linuxfabrik monitoring-plugins and verify whether the vulnerable Debian.sudoers file is present. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-8w6w-23mq-h8rg