CVE-2024-13995
Published: 30 October 2025
Description
Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained.
Security Summary
CVE-2024-13995 is an information disclosure vulnerability (CWE-497) affecting Nagios XI monitoring software versions prior to 2024R1.1.2, with the issue confirmed in versions 2024R1.1 and 2024R1.1.1. The flaw enables authenticated users to access sensitive user account information, including API keys and hashed passwords, that they are not authorized to view.
An attacker with low-privilege authenticated access (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N), resulting in high impacts to confidentiality, integrity, and availability (CVSS:3.1 score of 8.8; C:H/I:H/A:H; S:U). Successful exploitation could lead to full account compromise, abuse of API privileges, or offline cracking attempts against exposed password hashes.
Advisories recommend upgrading to Nagios XI 2024R1.1.2 or later to mitigate the issue. Additional details are available in the Nagios changelog at https://www.nagios.com/changelog/nagios-xi/, the Nagios security page at https://www.nagios.com/products/security/#nagios-xi, and the VulnCheck advisory at https://www.vulncheck.com/advisories/nagios-xi-api-keys-and-hashed-password-authenticated-information-disclosure.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability enables exploitation for credential access (T1212) by disclosing API keys (enabling T1528 Steal Application Access Token) and hashed passwords (facilitating T1110.002 Password Cracking).