Security readout for executives and security teams
Plain-English summary
Older Nagios XI monitoring servers let low-privilege users reach an Auto-Discovery feature that should be restricted to admins. A read-only account could see network discovery results and trigger discovery actions, leaking internal asset details that help an attacker plan further intrusion. Upgrading to 2012R1.6 or later resolves the issue per vendor change notes.
Executive priority
Patch on a normal change cadence unless your Nagios XI console is broadly accessible internally, in which case prioritize within the next maintenance window. Business impact is moderate: information disclosure about internal assets, not direct system takeover, but the exposed data accelerates downstream attacks.
Technical view
Nagios XI prior to 2012R1.6 fails to enforce authorization on Auto-Discovery endpoints (CWE-862). An authenticated user with low privileges can directly request discovery pages and operations that should require elevated rights, exposing scan output and enabling unintended use of discovery functionality. CVSS 4.0 vector indicates network attack with low privileges, no user interaction, and high confidentiality impact.
Likely exposure
Limited to organizations still running Nagios XI versions older than 2012R1.6. Risk is highest where the Nagios XI console is reachable by many internal users or exposed beyond a trusted management network, since any authenticated low-privilege account becomes a stepping stone for internal reconnaissance.
Exploitation context
No public exploitation is cited in the bundle and the CVE is not listed in CISA KEV. The flaw requires valid low-privileged credentials, so exploitation is plausible by insiders or anyone who obtains a basic Nagios XI account, but no active campaigns are documented in the supplied sources.
Researcher notes
CWE-862 missing authorization on Auto-Discovery endpoints; CVSS 4.0 7.2 reflects network reach, low privilege requirement, and high confidentiality impact with limited integrity and availability impact. The CVE was published in 2025 for a fix line dated 2012R1.6, so verify true running versions rather than trusting stated patch posture. No KEV entry and no public PoC referenced in the bundle.
Mitigation direction
- Upgrade Nagios XI to 2012R1.6 or later per vendor change log.
- Restrict the Nagios XI web console to trusted management networks.
- Audit user accounts and remove unneeded read-only or guest access.
- Review Nagios XI role assignments to enforce least privilege.
- Monitor authentication and Auto-Discovery access logs for anomalies.
Validation and detection
- Confirm the running Nagios XI version against the 2012R1.6 fix line.
- Review VulnCheck advisory details to map vulnerable endpoints.
- Test with a non-admin account whether Auto-Discovery pages load.
- Inventory all Nagios XI instances, including legacy and lab servers.
- Check web server logs for prior unauthorized Auto-Discovery requests.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-862: Authorization and privilege behavior lookup
Authorization weaknesses can support privilege escalation and valid-account review, depending on exploit path. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2013-10072 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- High
- CVSS
- 7.2 (4.0)
- Known Exploited
- No
- Published
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N——Primary CVE scoreVulnerability scoring details
Base CVSS 4.0 score
7.2HighVector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
Source materials
- CVE List V5 sourceCVE List V5
- https://www.nagios.com/changelog/nagios-xi/CVE reference · release-notes, patch
- https://www.vulncheck.com/advisories/nagios-xi-auto-discovery-missing-authorizationCVE reference · third-party-advisory
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
