CVE-2024-49369 [Critical] | Security Bypass in Icinga

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	24.07%	2.93%	-21.14%
2	2026-05-15	25.51%	24.07%	-1.44%
3	2026-05-02	—	25.51%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

24.07%

2.93%

-21.14%

2026-05-15

25.51%

24.07%

-1.44%

2026-05-02

—

25.51%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
9.8	3.1	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	3.9	5.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

9.8

3.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

3.9

5.9

[email protected]

OS Trackers for CVE-2024-49369

vendor	priority	summary	link
`alpine`	—	CVE-2024-49369: 1 source package rows (icinga2); 5 state rows across 3 repos (3.20-community, 3.22-community, edge-community); fixed 0, open 5.	https://security.alpinelinux.org/vuln/CVE-2024-49369
`debian`	not yet assigned	CVE-2024-49369 not yet assigned priority: Debian including 1 source packages (icinga2), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2024-49369
`gentoo`	low	CVE-2024-49369: 1 GLSA(s) (202412-08), 1 atom(s) (net-analyzer/icinga2); latest impact low.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2024-49369
`suse`	critical	CVE-2024-49369 severity critical: SUSE including 24 source package names (icinga2-2.13.10-bp155.3.3.1, icinga2-2.13.10-bp156.4.3.1, …), 40 product×package rows across 5 product lines (SUSE Package Hub 15 SP5, SUSE Package Hub 15 SP6, … (5 product lines)): Fixed 40.	https://www.suse.com/security/cve/CVE-2024-49369/
`ubuntu`	medium	CVE-2024-49369 medium priority: Ubuntu including 1 source packages (icinga2), 9 status rows across 9 suites (bionic, focal, jammy, noble, oracular, plucky, questing, upstream, xenial): needs-triage 5, not-affected 2, ignored 1, released 1.	https://ubuntu.com/security/CVE-2024-49369

Affected software / configurations for CVE-2024-49369

Vendor	Product	Version	Raw CPE
icinga	icinga	>= 2.4.0, < 2.11.12	cpe:2.3:a:icinga:icinga::::::::
icinga	icinga	>= 2.12.0, < 2.12.11	cpe:2.3:a:icinga:icinga::::::::
icinga	icinga	>= 2.13.0, < 2.13.10	cpe:2.3:a:icinga:icinga::::::::
icinga	icinga	>= 2.14.0, < 2.14.3	cpe:2.3:a:icinga:icinga::::::::
debian	debian_linux	11.0	cpe:2.3:o:debian:debian_linux:11.0:::::::*

References for CVE-2024-49369

URL	Tags
https://github.com/Icinga/icinga2/commit/0419a2c36de408e9a703aec0962061ec9a285d3c	Patch
https://github.com/Icinga/icinga2/commit/2febc5e18ae0c93d989e64ebc2a9fd90e7205ad8	Patch
https://github.com/Icinga/icinga2/commit/3504fc7ed688c10d86988e2029a65efc311393fe	Patch
https://github.com/Icinga/icinga2/commit/869a7d6f0fe38c748e67bacc1fbdd42c933030f6	Patch
https://github.com/Icinga/icinga2/commit/8fed6608912c752b337d977f730547875a820831	Patch
https://github.com/Icinga/icinga2/security/advisories/GHSA-j7wq-r9mg-9wpv	Patch Vendor Advisory
https://icinga.com/blog/2024/11/12/critical-icinga-2-security-releases-2-14-3	Release Notes
https://lists.debian.org/debian-lts-announce/2024/11/msg00010.html	Mailing List Third Party Advisory

URL

CVE-2024-49369 | Icinga 2 has a TLS Certificate Validation Bypass for JSON-RPC and HTTP API Connections

Exploit prediction scoring system (EPSS) score for CVE-2024-49369

Common vulnerability scoring system (CVSS) metrics for CVE-2024-49369

Weakness enumeration for CVE-2024-49369

OS Trackers for CVE-2024-49369

Affected software / configurations for CVE-2024-49369

References for CVE-2024-49369