CVE-2026-24892
Published: 20 February 2026
Summary
CVE-2026-24892 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in It-Novum Openitcockpit. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and patching of the PHP deserialization flaw, as addressed by upgrading to openITCOCKPIT version 5.4.0.
Mandates validation of serialized changelog inputs to ensure consistency and reject attacker-influenced data before unsafe deserialization.
Facilitates ongoing vulnerability scanning to identify the latent PHP object injection risk in openITCOCKPIT.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a PHP object injection in a public-facing web application (openITCOCKPIT), directly enabling exploitation of public-facing applications for potential RCE.
NVD Description
openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios, Naemon and Prometheus. openITCOCKPIT Community Edition 5.3.1 and earlier contains an unsafe PHP deserialization pattern in the processing of changelog entries. Serialized changelog data derived from…
more
attacker-influenced application state is unserialized without restricting allowed classes. Although no current application endpoint was found to introduce PHP objects into this data path, the presence of an unrestricted unserialize() call constitutes a latent PHP object injection vulnerability. If future code changes, plugins, or refactors introduce object values into this path, the vulnerability could become immediately exploitable with severe impact, including potential remote code execution.
Deeper analysisAI
CVE-2026-24892 is a latent PHP object injection vulnerability stemming from an unsafe PHP deserialization pattern in the processing of changelog entries within openITCOCKPIT Community Edition version 5.3.1 and earlier. openITCOCKPIT is an open source monitoring tool designed for engines like Nagios, Naemon, and Prometheus. The issue arises because serialized changelog data, potentially influenced by an attacker through application state, is processed via an unrestricted unserialize() call without limiting allowed classes. While no current application endpoints introduce PHP objects into this data path, the vulnerability represents a PHP object injection risk that could activate under future code changes, plugins, or refactors.
Exploitation requires low privileges (PR:L) and network access (AV:N), but demands high attack complexity (AC:H) due to the current lack of a direct injection path. A successful attack could yield high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.5. If object injection becomes feasible, it could enable severe outcomes such as remote code execution, though no such path exists in the affected versions.
Mitigation involves upgrading to openITCOCKPIT version 5.4.0, which addresses the issue via a commit (975e0d0dfb79898568afbbfdba8f647d92612a69). Additional details are available in the project's security advisory (GHSA-g83p-vvjm-g39x).
Details
- CWE(s)