QwikSec

Security Database

CVE

CWE

Training

CVE-2024-13986

Published: Aug 28, 2025

Modified: May 15, 2026

PUBLISHED

Description

Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-controlled PHP files in a web-accessible directory, executed as the www-data user.

Vendor	Product	Versions
Nagios	Nagios XI	affected `0 - < 2024R1.3.2`

Weaknesses (CWE)

References

https://theyhack.me/Nagios-XI-Authenticated-RCE

technical-description

exploit

https://www.nagios.com/changelog/nagios-xi/

vendor-advisory

patch

https://www.nagios.com/products/security/#nagios-xi

vendor-advisory

patch

https://www.vulncheck.com/advisories/nagios-xi-authenticated-arbitrary-file-upload-path-traversal-rce

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.