CVE-2024-14003

CVE-2024-2024-14003 is a remote code execution (RCE) vulnerability in Nagios XI versions prior to 2024R1.2, stemming from insufficient validation of inbound NRDP (Nagios Remote Data Processor) request parameters in its server plugins. This flaw, classified as CWE-78 (OS Command Injection), allows crafted input to reach command execution paths, enabling arbitrary command execution on the underlying host in the context of the web/Nagios service. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.

An unauthenticated attacker with network access to the NRDP service can exploit this vulnerability by submitting specially crafted NRDP requests. Successful exploitation grants remote command execution as the web/Nagios service user, potentially allowing full compromise of the host system, including data exfiltration, persistence, or lateral movement.

Nagios advisories address this issue through patches in version 2024R1.2 and later. Additional mitigation details are available in the Nagios XI changelog at https://www.nagios.com/changelog/nagios-xi/, the security products page at https://www.nagios.com/products/security/#nagios-xi, and the VulnCheck advisory at https://www.vulncheck.com/advisories/nagios-xi-rce-via-nrdp-server-plugins.