CVE-2024-13996
Published: 30 October 2025
Description
Adversaries can use stolen session cookies to authenticate to web applications and services.
Security Summary
CVE-2024-13996 is an insufficient session expiration vulnerability (CWE-613) in Nagios XI versions prior to 2024R1.1.3. When a user's password is changed, the software fails to invalidate all other active sessions associated with that user. This allows pre-existing sessions, including those potentially compromised by an attacker, to remain valid post-credential update, enabling continued unauthorized access.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity, no required privileges or user interaction, and high impacts on confidentiality, integrity, and availability. An attacker with prior access to a valid user session—such as through session hijacking, theft, or fixation—can maintain access to sensitive user data and perform unauthorized actions even after the legitimate user changes their password.
Advisories recommend upgrading to Nagios XI 2024R1.1.3 or later to address the issue, as detailed in the Nagios changelog (https://www.nagios.com/changelog/nagios-xi/), security products page (https://www.nagios.com/products/security/#nagios-xi), and VulnCheck advisory (https://www.vulncheck.com/advisories/nagios-xi-session-not-invalidated-after-password-change).
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability enables exploitation of public-facing web app (T1190) and facilitates browser session hijacking (T1185), web session cookie theft (T1539), and use of stolen web session cookies for continued unauthorized access (T1550.004) even after password changes.