CVE-2024-13999: 
Nagios XI vulnerability analysis and mitigation

Nagios XI versions prior to 2024R1.1.3 contain a vulnerability that allows authenticated users to access sensitive system information. The vulnerability (CVE-2024-13999) was discovered and disclosed on October 30, 2025, affecting Nagios XI's authentication system (VulnCheck Advisory).

The vulnerability allows authenticated users to access the server's Active Directory (AD) or LDAP authentication token under certain circumstances. The issue has been assigned CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere). The vulnerability has received a CVSS v4.0 base score of 7.3 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H, and a CVSS v3.1 score of 9.8 (CRITICAL) (NVD).

The exposure of the server's AD/LDAP token could lead to serious security implications including domain-wide authentication misuse, escalation of privileges, and potential compromise of network-integrated systems. This could give attackers the ability to move laterally within the network and access sensitive resources (VulnCheck Advisory).

The vulnerability has been patched in Nagios XI version 2024R1.1.3. Organizations using affected versions should upgrade to this version or later to mitigate the risk (Nagios Changelog).