CVE-2026-24414 Overview
CVE-2026-24414 affects the Icinga PowerShell Framework, which provides configuration and check capabilities for monitoring Windows environments through Icinga for Windows. The vulnerability stems from insecure default permissions on the certificate directory, which grant read access to every local user. This exposes the private key of the Icinga host certificate to any authenticated local account. All installations prior to versions 1.13.4, 1.12.4, and 1.11.2 are affected. The flaw is tracked under [CWE-276: Incorrect Default Permissions].
Critical Impact
Any local user can read the Icinga host certificate private key, enabling impersonation of the monitored host within the Icinga monitoring infrastructure.
Affected Products
- Icinga PowerShell Framework versions prior to 1.11.2
- Icinga PowerShell Framework versions 1.12.0 through 1.12.3
- Icinga PowerShell Framework versions 1.13.0 through 1.13.3
Discovery Timeline
- 2026-01-29 - CVE-2026-24414 published to the National Vulnerability Database
- 2026-01-29 - Vendor advisory GHSA-88h5-rrm6-5973 published by Icinga
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2026-24414
Vulnerability Analysis
The Icinga PowerShell Framework stores cryptographic material in C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate. The framework provisions this directory without restricting its Access Control List (ACL). As a result, the default Users group inherits read permissions from the parent path, exposing the private key file used to authenticate the host to the Icinga master.
An attacker with any low-privileged interactive or remote session on the monitored Windows host can read the private key. The key authenticates the host within the Icinga API, so theft of the key enables certificate-based impersonation of that host. Attackers can then submit forged check results, suppress alerts, or pivot through trust relationships within the monitoring fabric.
A parallel issue, tracked as CVE-2026-24413, affects the Icinga 2 agent at C:\ProgramData\icinga2\var. Upgrading the PowerShell Framework also remediates the Icinga 2 issue automatically.
Root Cause
The installer applies inherited NTFS permissions to the certificate directory rather than explicitly setting a restrictive ACL. Standard users inherit Read & Execute rights on files under C:\Program Files, which should not apply to private key material. The framework fails to enforce least privilege on sensitive artifacts at installation time.
Attack Vector
Exploitation requires local access with low privileges (PR:L, AV:L). The attacker reads the private key file directly using any user-mode tool such as Get-Content, type, or copy. No code execution, elevation, or user interaction is required. The exploited material can then be exfiltrated and reused offline against the Icinga master.
No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-24414
Indicators of Compromise
- Read access events (Event ID 4663) on files within the Icinga certificate directory originating from non-service, non-administrator accounts.
- Unexpected file copy or PowerShell Get-Content operations targeting *.crt, *.key, or *.pem under the Icinga framework path.
- Duplicate or geographically anomalous TLS sessions from the host certificate to the Icinga master.
Detection Strategies
- Enable object access auditing on C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate and C:\ProgramData\icinga2\var to capture read attempts by non-privileged principals.
- Inventory current ACLs across managed Windows endpoints using icacls or PowerShell Get-Acl to identify hosts where the BUILTIN\Users group retains read rights on the certificate directory.
- Correlate Icinga API authentication logs with expected source hosts to identify certificate reuse from unauthorized systems.
Monitoring Recommendations
- Forward Windows Security and Sysmon FileCreate / FileRead events for the affected directories into a centralized log platform for retroactive hunting.
- Alert on any process other than icinga2.exe or powershell.exe running under the Icinga service account that opens files within the certificate directory.
- Track installed versions of icinga-powershell-framework across the fleet and flag any host running a version below 1.11.2, 1.12.4, or 1.13.4.
How to Mitigate CVE-2026-24414
Immediate Actions Required
- Upgrade the Icinga PowerShell Framework to version 1.13.4, 1.12.4, or 1.11.2 depending on the deployed release branch.
- Rotate the Icinga host certificate and private key on every previously affected endpoint after upgrading, since prior key material must be considered compromised.
- Audit ACLs on C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate and C:\ProgramData\icinga2\var and remediate any host retaining inherited user read rights.
Patch Information
Icinga released fixed versions 1.13.4, 1.12.4, and 1.11.2 of the PowerShell Framework. The patches set explicit ACLs on the certificate directory and propagate them to all sub-items. Upgrading also addresses the related CVE-2026-24413 issue in the Icinga 2 agent. Refer to the Icinga Blog Release Notes and the GitHub Security Advisory GHSA-88h5-rrm6-5973 for full details.
Workarounds
- Manually restrict the ACL on the affected certificate directory and all sub-folders to allow only the Icinga service user and local Administrators.
- Apply the same restriction to C:\ProgramData\icinga2\var to remediate the parallel Icinga 2 agent exposure.
- Disable inheritance on the certificate directory to prevent default Users rights from re-propagating after configuration changes.
# Restrict ACL on the Icinga certificate directory (run as Administrator)
icacls "C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate" /inheritance:r
icacls "C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate" /grant:r "Administrators:(OI)(CI)F" "SYSTEM:(OI)(CI)F" "icinga-service-user:(OI)(CI)RX"
# Apply the same hardening to the Icinga 2 agent path (CVE-2026-24413)
icacls "C:\ProgramData\icinga2\var" /inheritance:r
icacls "C:\ProgramData\icinga2\var" /grant:r "Administrators:(OI)(CI)F" "SYSTEM:(OI)(CI)F" "icinga-service-user:(OI)(CI)RX"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
