关键信息 漏洞名称: Nagios XI < 2024R1.2 Command Injection via Docker Wizard 严重性: CRITICAL 日期: October 30, 2025 影响版本: XI < 2024R1.2 CVE编号: CVE-2024-14005 CWE编号: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CVSS评分: 9.4 CVSS V4向量: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H 参考资料: - Nagios XI Security Disclosures - Nagios XI Changelog 发现者: Exodus Intelligence 描述: Nagios XI versions prior to 2024R1.2 contain a command injection vulnerability in the Docker Wizard. Insufficient validation of user-supplied input in the wizard allows an authenticated administrator to inject shell metacharacters that are incorporated into backend command invocations. Successful exploitation enables arbitrary command execution with the privileges of the Nagios XI web application user.