CVE-2024-14003
CRITICALNagios XI < 2024R1.2 - Remote Code Execution via NRDP Server Plugin Parameter Injection
Title source: llmDescription
Nagios XI versions prior to 2024R1.2 are vulnerable to remote code execution (RCE) through its NRDP (Nagios Remote Data Processor) server plugins. Insufficient validation of inbound NRDP request parameters allows crafted input to reach command execution paths, enabling attackers to execute arbitrary commands on the underlying host in the context of the web/Nagios service.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
patch
https://www.nagios.com/products/security/#nagios-xi
Release Notes release-notes
patch
https://www.nagios.com/changelog/nagios-xi/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/nagios-xi-rce-via-nrdp-server-plugins
Scores
CVSS v3
9.8
EPSS
0.0095
EPSS Percentile
76.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (2)
nagios/nagios_xi
2024 r1 (9 CPE variants)
nagios/nagios_xi
< 2024
Published
Oct 30, 2025
Tracked Since
Feb 18, 2026