LiveActive security incident?Get immediate response
CVE Record

CVE-2013-10072: Nagios XI < 2012R1.6 Auto-Discovery Missing Authorization

Nagios XI versions prior to 2012R1.6 contain an authorization flaw in the Auto-Discovery functionality. Users with read-only roles could directly reach Auto-Discovery endpoints and pages that should require elevated permissions, exposing discovery results and allowing unintended access to discovery operations.

HighCVSS 7.2Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

Older Nagios XI monitoring servers let low-privilege users reach an Auto-Discovery feature that should be restricted to admins. A read-only account could see network discovery results and trigger discovery actions, leaking internal asset details that help an attacker plan further intrusion. Upgrading to 2012R1.6 or later resolves the issue per vendor change notes.

Executive priority

Patch on a normal change cadence unless your Nagios XI console is broadly accessible internally, in which case prioritize within the next maintenance window. Business impact is moderate: information disclosure about internal assets, not direct system takeover, but the exposed data accelerates downstream attacks.

Technical view

Nagios XI prior to 2012R1.6 fails to enforce authorization on Auto-Discovery endpoints (CWE-862). An authenticated user with low privileges can directly request discovery pages and operations that should require elevated rights, exposing scan output and enabling unintended use of discovery functionality. CVSS 4.0 vector indicates network attack with low privileges, no user interaction, and high confidentiality impact.

Likely exposure

Limited to organizations still running Nagios XI versions older than 2012R1.6. Risk is highest where the Nagios XI console is reachable by many internal users or exposed beyond a trusted management network, since any authenticated low-privilege account becomes a stepping stone for internal reconnaissance.

Exploitation context

No public exploitation is cited in the bundle and the CVE is not listed in CISA KEV. The flaw requires valid low-privileged credentials, so exploitation is plausible by insiders or anyone who obtains a basic Nagios XI account, but no active campaigns are documented in the supplied sources.

Researcher notes

CWE-862 missing authorization on Auto-Discovery endpoints; CVSS 4.0 7.2 reflects network reach, low privilege requirement, and high confidentiality impact with limited integrity and availability impact. The CVE was published in 2025 for a fix line dated 2012R1.6, so verify true running versions rather than trusting stated patch posture. No KEV entry and no public PoC referenced in the bundle.

Mitigation direction

  • Upgrade Nagios XI to 2012R1.6 or later per vendor change log.
  • Restrict the Nagios XI web console to trusted management networks.
  • Audit user accounts and remove unneeded read-only or guest access.
  • Review Nagios XI role assignments to enforce least privilege.
  • Monitor authentication and Auto-Discovery access logs for anomalies.

Validation and detection

  • Confirm the running Nagios XI version against the 2012R1.6 fix line.
  • Review VulnCheck advisory details to map vulnerable endpoints.
  • Test with a non-admin account whether Auto-Discovery pages load.
  • Inventory all Nagios XI instances, including legacy and lab servers.
  • Check web server logs for prior unauthorized Auto-Discovery requests.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-862: Authorization and privilege behavior lookup

Authorization weaknesses can support privilege escalation and valid-account review, depending on exploit path. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2013-10072 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.2 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
3Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.2CVSS 4.0HighCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:NPrimary CVE score

Vulnerability scoring details

Base CVSS 4.0 score

7.2High
CVSS 4.0 vector shape for CVE-2013-10072Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
NagiosXI0unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.