CVE-2024-13994
moderate-risk
Published 2025-10-30
Nagios XI versions prior to 2024R1.1.2 contain a missing authorization control when the 'Allow Insecure Logins' option is enabled. Under this configuration, any user can create valid login credentials for other users without proper authorization. This can lead to unauthorized account creation, privilege escalation, or full compromise of the Nagios XI web interface depending on the target account.
Do I need to act?
-
0.09% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Vendors
References (3)
Release Notes
https://www.nagios.com/changelog/nagios-xi/
Vendor Advisory
https://www.nagios.com/products/security/#nagios-xi
Third Party Advisory
https://www.vulncheck.com/advisories/nagios-xi-allow-insecure-logins-missing-aut...
45
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
0/34 · Minimal
Exposure
13/34 · Low