CVE-2024-13986
BaseFortify
Publication date: 2025-08-28
Last updated on: 2025-11-04
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nagios | nagios_xi | to 2024 (exc) |
| nagios | nagios_xi | 2024 |
| nagios | nagios_xi | 2024 |
| nagios | nagios_xi | 2024 |
| nagios | nagios_xi | 2024 |
| nagios | nagios_xi | 2024 |
| nagios | nagios_xi | 2024 |
| nagios | nagios_xi | 2024 |
| nagios | nagios_xi | 2024 |
| nagios | nagios_xi | 2024 |
| nagios | nagios_xi | 2024 |
| nagios | nagios_xi | 2024 |
| nagios | nagios_xi | 2024 |
| nagios | nagios_xi | 2024 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2024-13986 is an authenticated remote code execution vulnerability in Nagios XI versions before 2024R1.3.2. It involves two chained flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. Attackers with valid credentials can upload malicious PHP files to a non-web-accessible directory due to insufficient file extension validation. Then, by exploiting a path traversal vulnerability in the snapshot rename functionality, they can move these PHP files into a web-accessible directory. This allows the attacker to execute arbitrary PHP code on the server as the www-data user. [1]
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to execute arbitrary code on the Nagios XI server with the privileges of the web server user (www-data). This can lead to full compromise of the affected system, unauthorized access to sensitive data, modification or deletion of files, and potentially using the server as a foothold to attack other systems within the network. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves verifying if the Nagios XI instance is vulnerable by checking for the presence of the vulnerable endpoints and attempting to identify unauthorized or suspicious file uploads and renames. Specifically, monitoring access to the /admin/mibs.php endpoint for file uploads and /admin/coreconfigsnapshots.php for snapshot rename requests with unusual path traversal sequences (e.g., ../../../../) can indicate exploitation attempts. Commands to detect suspicious files or activity could include: 1) Searching for unexpected PHP files in the web-accessible directory: `find /usr/local/nagiosxi/html/tools/ -name '*.php'` 2) Checking web server logs for requests to the vulnerable endpoints with suspicious parameters: `grep '/admin/mibs.php' /var/log/apache2/access.log` and `grep '/admin/coreconfigsnapshots.php' /var/log/apache2/access.log` 3) Monitoring for unusual rename operations involving directory traversal sequences in parameters. These steps require authenticated access to logs and file system. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restricting access to the vulnerable endpoints (/admin/mibs.php and /admin/coreconfigsnapshots.php) to trusted users only. 2) Applying the vendor-provided patch or upgrading Nagios XI to version 2024R1.3.2 or later where the vulnerability is fixed. 3) Implementing strict validation and sanitization of file uploads to disallow PHP or other executable files. 4) Monitoring and auditing file uploads and rename operations for suspicious activity. 5) If patching is not immediately possible, consider disabling the MIB upload and snapshot rename features temporarily to prevent exploitation. [1]