Nagios XI < 2024R1.1.3 Session Not Invalidated After Password Change

Advisories

severity: critical
date: 10/30/2025
Affecting: XI < 2024R1.1.3
CVE: CVE-2024-13996
CWE: CWE-613 Insufficient Session Expiration
CVSS: 9.2
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
References: Nagios XI Security Disclosures
Nagios XI Changelog
Credit: Jack Eli
Description: Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained valid after a credential update. This insufficient session expiration could allow continued unauthorized access to user data and actions even after a password change.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo