Nagios XI versions prior to 2024R1.2 are vulnerable to remote code execution (RCE) through its NRDP (Nagios Remote Data Processor) server plugins. Insufficient validation of inbound NRDP request parameters allows crafted input to reach command execution paths, enabling attackers to execute arbitrary commands on the underlying host in the context of the web/Nagios service.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XNagios Xi
APPNagios2024< 2024
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCECommand Injection
CWE
Related vulnerabilities
CVE-2024-13997CRITICAL9.4PL ✓ten sam produkt
Nagios XI — privilege escalation do root via Migrate Server
CVE-2024-13996CRITICAL9.2PL ✓ten sam produkt
Nagios XI — brak unieważniania sesji po zmianie hasła (CVE-2024-13996)
CVE-2020-36856CRITICAL9.4PL ✓ten sam produkt
Nagios XI — authenticated RCE przez command injection w CCM
CVE-2023-7317CRITICAL9.4PL ✓ten sam produkt
Nagios XI – brak kontroli dostępu w Web SSH Terminal (RCE/ujawnienie danych)
CVE-2024-14005CRITICAL9.4PL ✓ten sam produkt
Command injection w Nagios XI — podatność w Docker Wizard