CVE-2024-13994 | THREATINT

Description

Nagios XI versions prior to 2024R1.1.2 contain a missing authorization control when the 'Allow Insecure Logins' option is enabled. Under this configuration, any user can create valid login credentials for other users without proper authorization. This can lead to unauthorized account creation, privilege escalation, or full compromise of the Nagios XI web interface depending on the target account.

PUBLISHED Reserved 2025-10-22 | Published 2025-10-30 | Updated 2025-10-31 | Assigner VulnCheck

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-862 Missing Authorization

Product status

Default status

unaffected

Any version before 2024R1.1.2

affected

Credits

Kevin De Frene finder

References

www.nagios.com/products/security/ vendor-advisory patch

www.nagios.com/changelog/nagios-xi/ release-notes patch

www.vulncheck.com/...w-insecure-logins-missing-authorization third-party-advisory

cve.org (CVE-2024-13994)

nvd.nist.gov (CVE-2024-13994)

Download JSON