CVE-2024-13998: 
Nagios XI vulnerability analysis and mitigation

Nagios XI versions prior to 2024R1.1.3 contain a vulnerability that can disclose sensitive user account information, including API keys and hashed passwords, to authenticated users who should not have access to that data. The vulnerability was discovered and disclosed in October 2025, affecting Nagios XI installations before version 2024R1.1.3. This issue is related to a similar vulnerability (CVE-2024-13995) which had an incomplete fix in earlier versions (VulnCheck Advisory).

The vulnerability has been assigned a CVSS v4.0 Base Score of 6.0 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. The issue is classified under CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere). The vulnerability requires authentication but has low attack complexity, with the primary impact being unauthorized access to sensitive information (VulnCheck Advisory).

The exploitation of this vulnerability could lead to serious security consequences including account compromise, abuse of API privileges, and potential offline password cracking attempts through exposed hashed passwords. The exposure of API keys could give attackers unauthorized access to system functionality and sensitive data (VulnCheck Advisory).

The primary mitigation is to upgrade to Nagios XI version 2024R1.1.3 or later, which contains the fix for this vulnerability. This update is available through the standard Nagios XI upgrade process (Nagios Security, Nagios Changelog).