CVE-2026-24413
Improper Permissions in Icinga 2 MSI Expose Private Keys
Publication date: 2026-01-29
Last updated on: 2026-02-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| icinga | icinga | From 2.14.0 (inc) to 2.14.8 (exc) |
| icinga | icinga | From 2.15.0 (inc) to 2.15.2 (exc) |
| icinga | icinga | From 2.3.0 (inc) to 2.13.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Icinga 2 affects Windows installations where the MSI installer did not set proper permissions on the %ProgramData%\icinga2\var folder. As a result, all local users on the system could read the contents of this folder, which includes sensitive data such as the user's private key and synchronized configuration files. This exposure occurs in versions starting from 2.3.0 up to but not including 2.13.14, 2.14.8, and 2.15.2, which contain fixes.
How can this vulnerability impact me? :
The vulnerability allows any local user on a Windows system running affected versions of Icinga 2 to read sensitive files, including private keys and configuration data. This could lead to unauthorized access, impersonation of the Icinga service user, or manipulation of monitoring configurations, potentially compromising the integrity and security of the monitoring system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking the permissions of the folder C:\ProgramData\icinga2\var on your Windows system. If the permissions allow all local users to read the contents, including the private key and configuration files, your system is vulnerable. To check permissions, you can use the following PowerShell command: Get-Acl -Path 'C:\ProgramData\icinga2\var' | Format-List. Similarly, check the folder C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate for overly permissive ACLs.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Icinga for Windows to at least version v1.13.4, v1.12.4, or v1.11.2, which automatically fix the ACLs for the Icinga 2 agent. Alternatively, you can manually update the Access Control Lists (ACLs) for the folder C:\ProgramData\icinga2\var and the folder C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate, including all subfolders and items, to restrict access to only the Icinga service user and administrators.