CVE-2026-24413 – The Icinga 2 MSI installer on Windows sets over... (How to Fix)

Q: What is the severity of CVE-2026-24413?

CVE-2026-24413 has a CVSS score of 5.5 (MEDIUM). The Icinga 2 MSI installer on Windows sets overly permissive folder permissions, allowing all local users to read sensitive files including private keys and configuration data. This affects all Windows installations of Icinga 2 versions 2.3.0 through 2.13.13, 2.14.7, and 2.15.1. Attackers with local access can steal credentials and potentially compromise the monitoring system.

📋 TL;DR

The Icinga 2 MSI installer on Windows sets overly permissive folder permissions, allowing all local users to read sensitive files including private keys and configuration data. This affects all Windows installations of Icinga 2 versions 2.3.0 through 2.13.13, 2.14.7, and 2.15.1. Attackers with local access can steal credentials and potentially compromise the monitoring system.

💻 Affected Systems

Products:

Icinga 2
Icinga for Windows

Versions: Icinga 2: 2.3.0 through 2.13.13, 2.14.7, and 2.15.1; Icinga for Windows: versions before v1.13.4, v1.12.4, and v1.11.2

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows installations. The vulnerability exists in the MSI installer's default folder permission settings.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attackers steal private keys and configuration files, enabling them to impersonate the Icinga service, access monitored systems, or modify monitoring data.

🟠

Likely Case

Unauthorized local users read sensitive configuration data and private keys, potentially leading to credential theft and lateral movement.

🟢

If Mitigated

With proper ACLs, only authorized service accounts and administrators can access sensitive files, preventing credential exposure.

🌐 Internet-Facing: LOW - This is a local privilege issue requiring local user access, not directly exploitable over the network.

🏢 Internal Only: HIGH - Any local user (including low-privilege accounts) can read sensitive files, making internal compromise straightforward.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local user access but is trivial - attackers simply need to browse to the vulnerable folder and read files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Icinga 2: 2.13.14, 2.14.8, or 2.15.2; Icinga for Windows: v1.13.4, v1.12.4, or v1.11.2

Vendor Advisory: https://icinga.com/blog/releasing-icinga-2-v2-15-2-v2-14-8-v2-13-14-and-icinga-for-windows-v1-13-4-v1-12-4-v1-11-2

Restart Required: Yes

Instructions:

1. Upgrade Icinga 2 to version 2.13.14, 2.14.8, or 2.15.2. 2. Upgrade Icinga for Windows to v1.13.4, v1.12.4, or v1.11.2. 3. Restart Icinga services.

🔧 Temporary Workarounds

Manual ACL Update

windows

Manually set restrictive permissions on vulnerable folders to prevent unauthorized access.

icacls "C:\ProgramData\icinga2\var" /inheritance:r /grant:r "NT SERVICE\icinga2:(OI)(CI)F" "Administrators:(OI)(CI)F"
icacls "C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate" /inheritance:r /grant:r "NT SERVICE\icinga2:(OI)(CI)F" "Administrators:(OI)(CI)F"

🧯 If You Can't Patch

Immediately apply manual ACL workaround to restrict folder access
Rotate all certificates and keys stored in vulnerable folders after securing permissions

🔍 How to Verify

Check if Vulnerable:

Check folder permissions: icacls "C:\ProgramData\icinga2\var" - if 'BUILTIN\Users' or similar groups have read access, system is vulnerable.

Check Version:

icinga2 --version

Verify Fix Applied:

Verify folder permissions: icacls "C:\ProgramData\icinga2\var" - only NT SERVICE\icinga2 and Administrators should have access.

📡 Detection & Monitoring

Log Indicators:

Windows Security logs showing unauthorized access attempts to icinga2 folders
Icinga logs showing certificate validation failures

Network Indicators:

Unusual connections from Icinga server to monitored systems
Certificate validation errors in TLS connections

SIEM Query:

EventID=4663 AND ObjectName LIKE '%icinga2%var%' AND Accesses LIKE '%ReadData%' AND SubjectUserName NOT IN ('NT SERVICE\\icinga2', 'Administrator')

📊 Metadata

CVE ID: CVE-2026-24413

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-276

EPSS Score: 0.01% exploit probability (0.6th percentile)

Published: January 29, 2026

Last Updated: February 19, 2026

🔗 References

https://github.com/Icinga/icinga-powershell-framework/security/advisories/GHSA-88h5-rrm6-5973 Not Applicable
https://github.com/Icinga/icinga2/security/advisories/GHSA-vfjg-6fpv-4mmr Vendor Advisory
https://icinga.com/blog/releasing-icinga-2-v2-15-2-v2-14-8-v2-13-14-and-icinga-for-windows-v1-13-4-v1-12-4-v1-11-2 Patch,Press/Media Coverage

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24413, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Icinga by Icinga

Icinga by Icinga

Icinga by Icinga

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Manual ACL Update

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities