CVE-2024-13986
Nagios XI < 2024R1.3.2 Authenticated Arbitrary File Upload Path Traversal RCE
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-controlled PHP files in a web-accessible directory, executed as the www-data user.
| CWE | CWE-434 CWE-22 |
| Vendor | nagios |
| Product | nagios xi |
| Published | Aug 28, 2025 |
| Last Updated | Feb 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for nagios nagios xi
Be the first to know when new unknown vulnerabilities affecting nagios nagios xi are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Nagios / Nagios XI
* < 2024R1.3.2
References
theyhack.me: https://theyhack.me/Nagios-XI-Authenticated-RCE nagios.com: https://www.nagios.com/changelog/nagios-xi/ nagios.com: https://www.nagios.com/products/security/#nagios-xi vulncheck.com: https://www.vulncheck.com/advisories/nagios-xi-authenticated-arbitrary-file-upload-path-traversal-rce theyhack.me: https://theyhack.me/Nagios-XI-Authenticated-RCE/
Credits
M. Cory Billington of theyhack.me