CVE-2025-23203 – This vulnerability in Icinga Director allows au... (How to Fix)

Q: What is the severity of CVE-2025-23203?

CVE-2025-23203 has a CVSS score of 5.5 (MEDIUM). This vulnerability in Icinga Director allows authenticated users with API access to bypass object-level restrictions and retrieve or modify configuration data for objects they shouldn't have access to. It affects Icinga Director versions 1.0.0 through 1.10.3 and 1.11.3, enabling information disclosure and unauthorized configuration changes.

📋 TL;DR

This vulnerability in Icinga Director allows authenticated users with API access to bypass object-level restrictions and retrieve or modify configuration data for objects they shouldn't have access to. It affects Icinga Director versions 1.0.0 through 1.10.3 and 1.11.3, enabling information disclosure and unauthorized configuration changes.

💻 Affected Systems

Products:

Icinga Director

Versions: 1.0.0 through 1.10.3 and 1.11.3

Operating Systems: All platforms running Icinga Director

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with Director access permissions and API access. Affects specific REST API endpoints including service, notification, serviceset, and scheduled-downtime endpoints.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users could reconfigure monitoring systems, disable alerts, modify service configurations, and potentially gain access to sensitive infrastructure information, leading to operational disruption and data breaches.

🟠

Likely Case

Privilege escalation where users with limited permissions can access and modify objects outside their authorized scope, potentially altering monitoring configurations or discovering restricted host information.

🟢

If Mitigated

With proper access controls and network segmentation, impact is limited to authorized users within the monitoring system, though they could still exceed their intended permissions.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access and knowledge of object names. The vulnerability is in authorization logic, not authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.10.4 and 1.11.4

Vendor Advisory: https://github.com/Icinga/icingaweb2-module-director/security/advisories/GHSA-3233-ggc5-m3qg

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Upgrade to Icinga Director version 1.10.4 (for 1.10.x branch) or 1.11.4 (for 1.11.x branch). 3. Restart Icinga services. 4. Verify functionality.

🔧 Temporary Workarounds

Disable Director module for non-admin users

all

Temporarily restrict access to Icinga Director module for all users except administrators

# Modify Icinga Web 2 configuration to restrict module access
# Edit /etc/icingaweb2/roles.ini or equivalent configuration

🧯 If You Can't Patch

Implement strict network access controls to limit Director API access to trusted IPs only
Review and audit all user permissions, removing unnecessary Director access

🔍 How to Verify

Check if Vulnerable:

Check Icinga Director version via Icinga Web 2 interface or by examining installed package version. Versions between 1.0.0-1.10.3 or 1.11.3 are vulnerable.

Check Version:

icingacli module list director | grep Version

Verify Fix Applied:

Confirm version is 1.10.4 or higher (for 1.10.x branch) or 1.11.4 or higher (for 1.11.x branch). Test API endpoints with restricted user accounts to ensure proper authorization.

📡 Detection & Monitoring

Log Indicators:

Unauthorized API requests to affected endpoints (service, notification, serviceset, scheduled-downtime)
Multiple 200 responses from filtered host queries by non-admin users

Network Indicators:

Unusual API call patterns to Director endpoints from non-admin users
Requests attempting to access objects by name without proper authorization

SIEM Query:

source="icinga" AND (endpoint="director/service" OR endpoint="director/notification" OR endpoint="director/serviceset" OR endpoint="director/scheduled-downtime") AND user!="admin" AND response_code=200

📊 Metadata

CVE ID: CVE-2025-23203

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-200

EPSS Score: 0.15% exploit probability (35.1th percentile)

Published: March 26, 2025

Last Updated: January 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-23203, you might also want to check these: