CVE-2024-13986
Published: 28 August 2025
Summary
CVE-2024-13986 is a high-severity Path Traversal (CWE-22) vulnerability in Nagios Nagios Xi. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 16.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses insufficient validation of file paths and extensions during MIB upload and snapshot rename, preventing path traversal and arbitrary PHP file uploads leading to RCE.
Enforces restrictions on file types, paths, and inputs at the web application boundary, blocking malicious MIB files and traversal attempts in the Core Config Snapshots interface.
Mandates identification, reporting, and correction of the specific flaw by applying the vendor patch to Nagios XI 2024R1.3.2 or later, eliminating the chained vulnerabilities.
NVD Description
Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during…
more
MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-controlled PHP files in a web-accessible directory, executed as the www-data user.
Deeper analysisAI
CVE-2024-13986 is a remote code execution vulnerability affecting Nagios XI versions prior to 2024R1.3.2. It stems from chaining two flaws in the Core Config Snapshots interface: an arbitrary file upload and a path traversal vulnerability. These issues arise due to insufficient validation of file paths and extensions during MIB upload and snapshot rename operations, allowing attackers to place attacker-controlled PHP files in a web-accessible directory, where they execute as the www-data user. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-22 (Path Traversal) and CWE-434 (Unrestricted Upload of File with Dangerous Type).
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By leveraging the file upload flaw to submit a malicious MIB file and the path traversal during snapshot rename, the attacker achieves arbitrary PHP code execution on the server as the www-data user, potentially leading to high confidentiality, integrity, and availability impacts.
Advisories recommend updating to Nagios XI 2024R1.3.2 or later to mitigate the vulnerability, as detailed in the Nagios changelog and security advisories. Additional technical details and proof-of-concept information are available from sources including VulnCheck and TheyHack.me references.
Details
- CWE(s)