cbcvebase.
CVE-2022-24716
published 2022-03-08

CVE-2022-24716: Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the…

PriorityP185high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
89.38%
99.8th percentile
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Unauthenticated users can leak the contents of files of the local system accessible to the web-server user, including `icingaweb2` configuration files with database credentials. This issue has been resolved in versions 2.9.6 and 2.10 of Icinga Web 2. Database credentials should be rotated.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianicingaweb2< icingaweb2 2.9.6-1 (bookworm)icingaweb2 2.9.6-1 (bookworm)
icingaicinga_web_2>= 2.9.0 < 2.9.62.9.6
icingaicingaweb2
icingaicingaweb2>= 0 < 2.9.6-12.9.6-1
icingaicingaweb2>= 0 < 2.9.6-12.9.6-1
icingaicingaweb2>= 0 < 2.9.6-12.9.6-1

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/lib/icinga/icinga-php-thirdparty/etc/passwd
url{{BaseURL}}/icinga2/lib/icinga/icinga-php-thirdparty/etc/passwd
url{{BaseURL}}/icinga-web/lib/icinga/icinga-php-thirdparty/etc/passwd
path/lib/icinga/icinga-php-thirdparty/
yara
regex: root:.*:0:0:
sigma
GET request to /lib/icinga/icinga-php-thirdparty/ (unauthenticated directory traversal)
  • Look for unauthenticated GET requests containing the path segment '/lib/icinga/icinga-php-thirdparty/' in HTTP access logs; any traversal beyond the library root (e.g., to /etc/passwd or /etc/icingaweb2/config.ini) is a strong indicator of exploitation.
  • HTTP responses with Content-Type 'text/plain' to requests under /lib/icinga/icinga-php-thirdparty/ are a detection signal used by the Nuclei template for this CVE.
  • Monitor for requests targeting sensitive Icinga Web 2 configuration files such as /etc/icingaweb2/config.ini via the traversal path, which may expose database credentials.
  • Use Shodan/FOFA queries to identify exposed Icinga Web 2 instances for proactive asset identification: title:"Icinga Web 2 login".
  • ·The traversal vulnerability affects Icinga Web 2 versions 2.8.0–2.8.5 and 2.9.0–2.9.5 inclusive; versions 2.9.6 and 2.10+ are patched. Detection rules should scope version checks accordingly.
  • ·The exploit is unauthenticated — no session cookie or authentication header is required, so WAF/IDS rules should not require authenticated session context to fire.
  • ·The Nuclei template uses stop-at-first-match across three URL variants; detection logic should account for all three base path variants (/icinga2/, /icinga-web/, and root) to avoid missed detections.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.