CVE-2026-24413
MEDIUMCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the `%ProgramData%\icinga2\var` folder on Windows. This resulted in the its contents - including the private key of the user and synced configuration - being readable by all local users. All installations on Windows are affected. Versions 2.13.14, 2.14.8, and 2.15.2 contains a fix. There are two possibilities to work around the issue without upgrading Icinga 2. Upgrade Icinga for Windows to at least version v1.13.4, v1.12.4, or v1.11.2. These version will automatically fix the ACLs for the Icinga 2 agent as well. Alternatively, manually update the ACL for the given folder `C:\ProgramData\icinga2\var` (and `C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate` to fix the issue for the Icinga for Windows as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access.
Analysis
Icinga 2 on Windows versions 2.3.0 through 2.15.1 fail to properly restrict file permissions on the `%ProgramData%\icinga2\var` directory, allowing any local user to read sensitive data including private keys and synchronized configurations. All Windows installations are affected, and attackers with local access can extract cryptographic material and configuration details for lateral movement or further compromise. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running version 2.3.0 and and apply vendor patches as part of regular patch cycle. Review and tighten file/resource permissions.
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today