Cyber Resilience

CVE-2024-49369

Critical

Published: 12 November 2024

Published
12 November 2024
Modified
26 November 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2407 96.2th percentile
Risk Priority 34 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-49369 is a critical-severity Improper Certificate Validation (CWE-295) vulnerability in Icinga Icinga. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Icinga 2 is an open-source monitoring system that performs availability checks, sends outage notifications, and produces performance data. The vulnerability is an improper certificate validation flaw (CWE-295) present in all releases from 2.4.0 onward; the TLS handshake logic failed to correctly enforce certificate constraints, enabling impersonation of both cluster nodes and ApiUser accounts that authenticate via TLS client certificates identified by the client_cn attribute.

An unauthenticated network attacker can exploit the flaw to present a crafted certificate that Icinga 2 will accept as valid, thereby impersonating trusted nodes or privileged API users. Successful exploitation grants the attacker the ability to inject monitoring data, alter configuration, or issue commands with the same privileges as the impersonated entity, corresponding to the observed CVSS 9.8 rating.

The issue is resolved in Icinga 2 versions 2.14.3, 2.13.10, 2.12.11, and 2.11.12. The referenced commits implement stricter certificate validation checks that restore proper enforcement of subject names and trust relationships for both cluster and API-client connections. The EPSS score reached a peak of 0.2551 before receding to its current value of 0.2407.

EU & UK References

Vulnerability details

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to…

more

impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

icinga
icinga
2.4.0 — 2.11.12 · 2.12.0 — 2.12.11 · 2.13.0 — 2.13.10
debian
debian linux
11.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-295

When certificates are used to establish component provenance, the control requires correct certificate validation procedures.

addresses: CWE-295

Mandates approved trust anchors and issuance policies, directly preventing acceptance of unvalidated or untrusted certificates.

addresses: CWE-295

Correct system time is required for proper enforcement of certificate notBefore/notAfter dates and time-based revocation checks.

References