CVE-2024-14002 - Vulnerability Details

Nagios XI versions prior to 2024R1.1.4 contain a local file inclusion (LFI) vulnerability via its NagVis integration. An authenticated user can supply crafted path values that cause the server to include local files, potentially exposing sensitive information from the underlying host.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00524.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Nagios Subscribe	Nagios Xi Subscribe Xi Subscribe

Configuration 1 [-]

OR	cpe:2.3:a:nagios:nagios_xi::::::::
	cpe:2.3:a:nagios:nagios_xi:2024:r1::::::
	cpe:2.3:a:nagios:nagios_xi:2024:r1.0.1::::::
	cpe:2.3:a:nagios:nagios_xi:2024:r1.0.2::::::
	cpe:2.3:a:nagios:nagios_xi:2024:r1.1::::::
	cpe:2.3:a:nagios:nagios_xi:2024:r1.1.1::::::
	cpe:2.3:a:nagios:nagios_xi:2024:r1.1.2::::::
	cpe:2.3:a:nagios:nagios_xi:2024:r1.1.3::::::

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Nagios Subscribe	Xi Subscribe

Advisories

No advisories yet.

Fixes

Solution

Nagios addresses this vulnerability as "Nagios XI is vulnerable to an authenticated Local File Inclusion attack via Nagvis." and as part of "Fixed both XSS in Executive Summary report and ajaxhelper endpoint that was too open."

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.nagios.com/changelog/nagios-xi/
https://www.nagios.com/products/security/#nagios-xi
https://www.vulncheck.com/advisories/nagios-xi-authenticated-local-file-inclusion-via-nagvis

History

Mon, 17 Nov 2025 18:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:nagios:nagios_xi:2024:::::::*

Thu, 06 Nov 2025 16:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nagios nagios Xi
CPEs		cpe:2.3:a:nagios:nagios_xi:::::::: cpe:2.3:a:nagios:nagios_xi:2024:r1.0.1:::::: cpe:2.3:a:nagios:nagios_xi:2024:r1.0.2:::::: cpe:2.3:a:nagios:nagios_xi:2024:r1.1.1:::::: cpe:2.3:a:nagios:nagios_xi:2024:r1.1.2:::::: cpe:2.3:a:nagios:nagios_xi:2024:r1.1.3:::::: cpe:2.3:a:nagios:nagios_xi:2024:r1.1:::::: cpe:2.3:a:nagios:nagios_xi:2024:r1::::::
Vendors & Products		Nagios nagios Xi
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Fri, 31 Oct 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 31 Oct 2025 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nagios Nagios xi
Vendors & Products		Nagios Nagios xi

Thu, 30 Oct 2025 21:45:00 +0000

Type	Values Removed	Values Added
Description		Nagios XI versions prior to 2024R1.1.4 contain a local file inclusion (LFI) vulnerability via its NagVis integration. An authenticated user can supply crafted path values that cause the server to include local files, potentially exposing sensitive information from the underlying host.
Title		Nagios XI < 2024R1.1.4 Authenticated Local File Inclusion via NagVis
Weaknesses		CWE-98
References		https://www.nagios.com/changelog/nagios-xi/ https://www.nagios.com/products/security/#nagios-xi https://www.vulncheck.com/advisories/nagios-xi-authenticated-local-file-inclusion-via-nagvis
Metrics		cvssV4_0 `{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2025-10-30T21:30:39.691Z

Updated: 2025-11-17T18:21:48.806Z

Reserved: 2025-10-22T18:20:05.591Z

Link: CVE-2024-14002

Vulnrichment

Updated: 2025-10-31T15:05:07.731Z

NVD

Status : Analyzed

Published: 2025-10-30T22:15:45.600

Modified: 2025-11-06T16:23:37.760

Link: CVE-2024-14002

Redhat

No data.

OpenCVE Enrichment

Updated: 2025-10-31T10:12:54Z

Weaknesses

CWE-98

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object