Cyber Resilience

CVE-2024-13986

HighPublic PoC

Published: 28 August 2025

Published
28 August 2025
Modified
04 November 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0237 85.3th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13986 is a high-severity Path Traversal (CWE-22) vulnerability in Nagios Nagios Xi. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-13986 is a remote code execution vulnerability affecting Nagios XI versions prior to 2024R1.3.2. It stems from chaining two flaws in the Core Config Snapshots interface: an arbitrary file upload and a path traversal vulnerability. These issues arise due to insufficient validation of file paths and extensions during MIB upload and snapshot rename operations, allowing attackers to place attacker-controlled PHP files in a web-accessible directory, where they execute as the www-data user. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-22 (Path Traversal) and CWE-434 (Unrestricted Upload of File with Dangerous Type).

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By leveraging the file upload flaw to submit a malicious MIB file and the path traversal during snapshot rename, the attacker achieves arbitrary PHP code execution on the server as the www-data user, potentially leading to high confidentiality, integrity, and availability impacts.

Advisories recommend updating to Nagios XI 2024R1.3.2 or later to mitigate the vulnerability, as detailed in the Nagios changelog and security advisories. Additional technical details and proof-of-concept information are available from sources including VulnCheck and TheyHack.me references.

EU & UK References

Vulnerability details

Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during…

more

MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-controlled PHP files in a web-accessible directory, executed as the www-data user.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

RCE via unauthenticated-style file upload + path traversal on public-facing Nagios web app directly enables T1190; resulting arbitrary PHP execution in web root is T1505.003 web shell.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2020-36863Same product: Nagios Nagios Xi
CVE-2020-36867Same product: Nagios Nagios Xi
CVE-2023-7317Same product: Nagios Nagios Xi
CVE-2025-34284Same product: Nagios Nagios Xi
CVE-2024-13999Same product: Nagios Nagios Xi
CVE-2024-14005Same product: Nagios Nagios Xi
CVE-2024-14003Same product: Nagios Nagios Xi
CVE-2026-2043Same product: Nagios Nagios Xi
CVE-2012-10063Same product: Nagios Nagios Xi
CVE-2026-2041Same product: Nagios Nagios Xi

Affected Assets

nagios
nagios xi
2024 · ≤ 2024

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses insufficient validation of file paths and extensions during MIB upload and snapshot rename, preventing path traversal and arbitrary PHP file uploads leading to RCE.

prevent

Enforces restrictions on file types, paths, and inputs at the web application boundary, blocking malicious MIB files and traversal attempts in the Core Config Snapshots interface.

prevent

Mandates identification, reporting, and correction of the specific flaw by applying the vendor patch to Nagios XI 2024R1.3.2 or later, eliminating the chained vulnerabilities.

References