Unrated severityNVD Advisory· Published Aug 28, 2025· Updated Feb 26, 2026

Nagios XI < 2024R1.3.2 Authenticated Arbitrary File Upload Path Traversal RCE

CVE-2024-13986

Description

Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-controlled PHP files in a web-accessible directory, executed as the www-data user.

Affected products

Nagios/Nagiosllm-fuzzy
Range: <2024R1.3.2
Nagios/Nagios XIv5
Range: *

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

theyhack.me/Nagios-XI-Authenticated-RCEmitretechnical-descriptionexploit
www.nagios.com/changelog/nagios-xi/mitrevendor-advisorypatch
www.nagios.com/products/security/mitrevendor-advisorypatch
www.vulncheck.com/advisories/nagios-xi-authenticated-arbitrary-file-upload-path-traversal-rcemitrethird-party-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000