Cyber Posture

CVE-2026-24892

HighPublic PoC

Published: 20 February 2026

Published
20 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0032 55.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios, Naemon and Prometheus. openITCOCKPIT Community Edition 5.3.1 and earlier contains an unsafe PHP deserialization pattern in the processing of changelog entries. Serialized changelog data derived from…

more

attacker-influenced application state is unserialized without restricting allowed classes. Although no current application endpoint was found to introduce PHP objects into this data path, the presence of an unrestricted unserialize() call constitutes a latent PHP object injection vulnerability. If future code changes, plugins, or refactors introduce object values into this path, the vulnerability could become immediately exploitable with severe impact, including potential remote code execution.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly requires timely identification, reporting, and patching of the PHP deserialization flaw, as addressed by upgrading to openITCOCKPIT version 5.4.0.

SI-10 Information Input Validation partial match
prevent

Mandates validation of serialized changelog inputs to ensure consistency and reject attacker-influenced data before unsafe deserialization.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Facilitates ongoing vulnerability scanning to identify the latent PHP object injection risk in openITCOCKPIT.

Security SummaryAI

CVE-2026-24892 is a latent PHP object injection vulnerability stemming from an unsafe PHP deserialization pattern in the processing of changelog entries within openITCOCKPIT Community Edition version 5.3.1 and earlier. openITCOCKPIT is an open source monitoring tool designed for engines like Nagios, Naemon, and Prometheus. The issue arises because serialized changelog data, potentially influenced by an attacker through application state, is processed via an unrestricted unserialize() call without limiting allowed classes. While no current application endpoints introduce PHP objects into this data path, the vulnerability represents a PHP object injection risk that could activate under future code changes, plugins, or refactors.

Exploitation requires low privileges (PR:L) and network access (AV:N), but demands high attack complexity (AC:H) due to the current lack of a direct injection path. A successful attack could yield high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.5. If object injection becomes feasible, it could enable severe outcomes such as remote code execution, though no such path exists in the affected versions.

Mitigation involves upgrading to openITCOCKPIT version 5.4.0, which addresses the issue via a commit (975e0d0dfb79898568afbbfdba8f647d92612a69). Additional details are available in the project's security advisory (GHSA-g83p-vvjm-g39x).

Details

CWE(s)
CWE-502

Affected Products

it-novum
openitcockpit
≤ 5.4.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is a PHP object injection in a public-facing web application (openITCOCKPIT), directly enabling exploitation of public-facing applications for potential RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References