CVE-2024-13996

CriticalPublic PoC

Published: 30 October 2025

Published

30 October 2025

Modified

06 November 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0020 41.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13996 is a critical-severity Insufficient Session Expiration (CWE-613) vulnerability in Nagios Nagios Xi. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and AC-10 (Concurrent Session Control).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-12 Session Termination good match

prevent

AC-12 requires systems to terminate user sessions upon organization-defined conditions such as password changes, directly preventing pre-existing sessions from remaining valid after credential updates.

IA-5 Authenticator Management partial match

prevent

IA-5 mandates invalidation of authenticators under defined circumstances including password changes, which addresses associated session persistence by requiring management of authentication artifacts.

AC-10 Concurrent Session Control partial match

prevent

AC-10 enforces limits on concurrent sessions and terminates excess or all concurrent sessions under specified conditions, mitigating the impact of multiple active sessions post-password change.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

T1550.004 Web Session Cookie Lateral Movement

Adversaries can use stolen session cookies to authenticate to web applications and services.

attack.mitre.org →

Why these techniques?

Vulnerability enables exploitation of public-facing web app (T1190) and facilitates browser session hijacking (T1185), web session cookie theft (T1539), and use of stolen web session cookies for continued unauthorized access (T1550.004) even after password changes.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained valid after a credential…

update. This insufficient session expiration could allow continued unauthorized access to user data and actions even after a password change.

Deeper analysisAI

CVE-2024-13996 is an insufficient session expiration vulnerability (CWE-613) in Nagios XI versions prior to 2024R1.1.3. When a user's password is changed, the software fails to invalidate all other active sessions associated with that user. This allows pre-existing sessions, including those potentially compromised by an attacker, to remain valid post-credential update, enabling continued unauthorized access.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity, no required privileges or user interaction, and high impacts on confidentiality, integrity, and availability. An attacker with prior access to a valid user session—such as through session hijacking, theft, or fixation—can maintain access to sensitive user data and perform unauthorized actions even after the legitimate user changes their password.

Advisories recommend upgrading to Nagios XI 2024R1.1.3 or later to address the issue, as detailed in the Nagios changelog (https://www.nagios.com/changelog/nagios-xi/), security products page (https://www.nagios.com/products/security/#nagios-xi), and VulnCheck advisory (https://www.vulncheck.com/advisories/nagios-xi-session-not-invalidated-after-password-change).

Details

CWE(s): CWE-613

Affected Products

nagios

nagios xi

2024 · ≤ 2024

CVEs Like This One

CVE-2023-7317Same product: Nagios Nagios Xi

CVE-2026-2041Same product: Nagios Nagios Xi

CVE-2024-13999Same product: Nagios Nagios Xi

CVE-2025-34284Same product: Nagios Nagios Xi

CVE-2024-14003Same product: Nagios Nagios Xi

CVE-2026-2043Same product: Nagios Nagios Xi

CVE-2024-14005Same product: Nagios Nagios Xi

CVE-2026-2042Same product: Nagios Nagios Xi

CVE-2025-67255Same product: Nagios Nagios Xi

CVE-2024-13995Same product: Nagios Nagios Xi

References

https://www.nagios.com/changelog/nagios-xi/
Release Notes · disclosure@vulncheck.com
https://www.nagios.com/products/security/#nagios-xi
Vendor Advisory · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/nagios-xi-session-not-invalidated-after-password-change
Third Party Advisory · disclosure@vulncheck.com