Icinga Web 2, a modern open-source IT monitoring system, has been found to contain two vulnerabilities that allow attackers to compromise the server by exploiting path traversal and remote code execution. The first vulnerability (CVE-2022-24716) enables the disclosure of any file on the server without authentication or prior knowledge of a user account, while the second vulnerability (CVE-2022-24715) allows for the execution of arbitrary PHP code from the administration interface. Both vulnerabilities can be chained to compromise the server if an attacker reaches the database by first disclosing configuration files and modifying the administrator's password. Icinga Web 2 has released patches for these vulnerabilities, including versions 2.8.6, 2.9.6, and 2.10, and recommends that users only expose their systems to trusted IP addresses or put them behind a centralized authentication system.