CVE-2024-14008
HIGHNagios XI < 2024R1.3.2 - Authenticated Remote Code Execution via WinRM Configuration Wizard
Title source: llmDescription
Nagios XI versions prior to 2024R1.3.2 contain a remote command execution vulnerability in the WinRM Configuration Wizard. Insufficient validation of user-supplied input allows an authenticated administrator to inject shell metacharacters that are incorporated into backend command invocations. Successful exploitation enables arbitrary command execution with the privileges of the Nagios XI web application user.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
patch
https://www.nagios.com/products/security/#nagios-xi
Release Notes release-notes
patch
https://www.nagios.com/changelog/nagios-xi/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/nagios-xi-rce-via-winrm-configuration-wizard
Scores
CVSS v3
7.2
EPSS
0.0066
EPSS Percentile
71.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (2)
nagios/nagios_xi
2024 r1 (14 CPE variants)
nagios/nagios_xi
< 2024
Published
Oct 30, 2025
Tracked Since
Feb 18, 2026