diff --git a/CHANGELOG.md b/CHANGELOG.md
index 00187f950..15f1c8498 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,8 +9,12 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic
 
 ## 2.15.2 (2026-01-29)
 
-Additionally, it includes two minor bug fixes regarding SELinux policies and the OpenSSL version shipped on Windows.
+This security release fixes a problem in the Icinga 2 Windows MSI that did not
+set proper permissions for `%ProgramData%\icinga2\var`. Additionally, it includes
+two minor bug fixes regarding our SELinux policy and updates the OpenSSL version
+shipped on Windows.
 
+* CVE-2026-24413: Fix permissions of `%ProgramData%\icinga2\var` on Windows.
 * Windows: Update to OpenSSL 3.0.19. #10706
 * SELinux: Fix policy to allow `logrotate` to execute the `icinga2` binary in order to send `SIGUSR1` for log rotation. #10643
 * SELinux: Fix policy to allow `icinga2` to send `SIGTERM` to nagios plugins processes on timeout. #10694
diff --git a/icinga-installer/icinga-installer.cpp b/icinga-installer/icinga-installer.cpp
index 4dc050de6..2095627ed 100644
--- a/icinga-installer/icinga-installer.cpp
+++ b/icinga-installer/icinga-installer.cpp
@@ -270,8 +270,15 @@ static int InstallIcinga(void)
 	// TODO: In Icinga 2.14, rename features-available/mainlog.conf to mainlog.conf.deprecated
 	//       so that it's no longer listed as an available feature.
 
-	ExecuteCommand("icacls", "\"" + dataDir + "\" /grant *S-1-5-20:(oi)(ci)m");
-	ExecuteCommand("icacls", "\"" + dataDir + "\\etc\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f");
+	if (!ExecuteCommand("icacls", "\"" + dataDir + "\" /grant *S-1-5-20:(oi)(ci)m")){
+		throw std::runtime_error("failed to set ACLs for " + dataDir);
+	}
+	if (!ExecuteCommand("icacls", "\"" + dataDir + "\\etc\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f")) {
+		throw std::runtime_error("failed to set ACLs for " + dataDir + "\\etc");
+	}
+	if (!ExecuteCommand("icacls", "\"" + dataDir + "\\var\" /inheritance:r /grant:r *S-1-5-20:(oi)(ci)m *S-1-5-32-544:(oi)(ci)f")) {
+		throw std::runtime_error("failed to set ACLs for " + dataDir + "\\var");
+	}
 
 	ExecuteIcingaCommand("--scm-install daemon");