Nagios XI < 2024R1.2 Privilege Escalation via NagVis Configuration (nagvis.conf)

Advisories

severity: high
date: October 30, 2025
Affecting: XI < 2024R1.2
CVE: CVE-2024-14004
CWE: CWE-269 Improper Privilege Management
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: Nagios XI Security Disclosures
Nagios XI Changelog
Credit: Exodus Intelligence
Description: Nagios XI versions prior to 2024R1.2 contain a privilege escalation vulnerability related to NagVis configuration handling (nagvis.conf). An authenticated user could manipulate NagVis configuration data or leverage insufficiently validated configuration settings to obtain elevated privileges on the Nagios XI system.