Home

Description

Nagios XI versions prior to 2024R1.2 are vulnerable to remote code execution (RCE) through its NRDP (Nagios Remote Data Processor) server plugins. Insufficient validation of inbound NRDP request parameters allows crafted input to reach command execution paths, enabling attackers to execute arbitrary commands on the underlying host in the context of the web/Nagios service.

PUBLISHED Reserved 2025-10-22 | Published 2025-10-30 | Updated 2025-10-31 | Assigner VulnCheck




CRITICAL: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unaffected

Any version before 2024R1.2
unknown

Credits

Exodus Intelligence finder

References

www.nagios.com/products/security/ vendor-advisory patch

www.nagios.com/changelog/nagios-xi/ release-notes patch

www.vulncheck.com/...s/nagios-xi-rce-via-nrdp-server-plugins third-party-advisory

cve.org (CVE-2024-14003)

nvd.nist.gov (CVE-2024-14003)

Download JSON