CVE-2026-24413 is a vulnerability categorized under CWE-276 (Incorrect Default Permissions) affecting the Icinga 2 open source monitoring system on Windows platforms. Specifically, versions starting from 2.3.0 up to but excluding 2.13.14, 2.14.8, and 2.15.2 fail to set secure Access Control Lists (ACLs) on the %ProgramData%\icinga2\var directory. This directory contains sensitive files such as the private key of the Icinga user and synchronized configuration files. Due to overly permissive default ACLs, any local user on the Windows system can read these files, exposing critical credentials and configuration data. The vulnerability does not require user interaction or elevated privileges beyond local user access, making it relatively easy to exploit once local access is obtained. The exposure of private keys can lead to unauthorized access to the monitoring system, potential privilege escalation, or lateral movement within the network. The vulnerability also affects the Icinga for Windows agent, which can be mitigated by upgrading to versions v1.13.4, v1.12.4, or v1.11.2 that fix the ACLs automatically. Alternatively, administrators can manually correct the ACLs on the %ProgramData%\icinga2\var folder and the PowerShell module certificate folder to restrict access to only the Icinga service user and administrators. No public exploits have been reported yet, but the risk remains significant due to the sensitive nature of the exposed data. The CVSS 4.0 base score is 6.8, reflecting a medium severity with local attack vector, low complexity, no privileges required beyond local user, and high impact on confidentiality.

For European organizations, this vulnerability poses a significant risk to the confidentiality of monitoring infrastructure credentials and configurations. Exposure of private keys can allow attackers with local access to impersonate the Icinga service, manipulate monitoring data, or disable monitoring alerts, potentially masking malicious activity. This can lead to delayed detection of security incidents or operational failures. Organizations relying on Icinga 2 for critical infrastructure monitoring, including energy, telecommunications, finance, and government sectors, face increased risk of targeted attacks exploiting this vulnerability to gain deeper network access. The vulnerability's local access requirement limits remote exploitation but insider threats or compromised user accounts can leverage this flaw. Additionally, the widespread use of Windows servers in European enterprises and the popularity of Icinga in the region amplify the potential impact. Failure to remediate could result in data breaches, operational disruptions, and regulatory non-compliance under GDPR due to inadequate protection of sensitive system credentials.

The primary mitigation is to upgrade Icinga 2 on Windows to versions 2.13.14, 2.14.8, or 2.15.2 or later, which include fixes for the ACL misconfiguration. For organizations unable to upgrade immediately, upgrading the Icinga for Windows agent to v1.13.4, v1.12.4, or v1.11.2 will automatically correct the ACLs for the agent components. Alternatively, administrators should manually audit and correct the ACLs on the %ProgramData%\icinga2\var directory and the C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate folder. This involves restricting read and write permissions to only the Icinga service user and system administrators, removing access for general local users. Regularly verifying ACL integrity and monitoring access logs for unusual local file access attempts can help detect exploitation attempts. Additionally, implementing strict local user account management and minimizing the number of users with local access to monitoring servers reduces risk. Organizations should also review and harden Windows host security policies and consider endpoint detection solutions to monitor for suspicious activity related to Icinga files.