CVE-2025-27404
📋 TL;DR
This is a cross-site scripting (XSS) vulnerability in Icinga Web 2 that allows attackers to craft malicious URLs. When any user visits such a URL, arbitrary JavaScript can be executed in their browser session, enabling attackers to perform actions on behalf of that user. All Icinga Web 2 installations prior to versions 2.11.5 and 2.12.13 are affected.
💻 Affected Systems
- Icinga Web 2
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform unauthorized actions as authenticated users, redirect users to malicious sites, or compromise the entire monitoring system.
Likely Case
Attackers would typically steal session tokens to gain unauthorized access, modify monitoring configurations, or exfiltrate sensitive monitoring data.
If Mitigated
With proper Content Security Policy (CSP) enabled, the impact is significantly reduced as CSP can block inline script execution and restrict script sources.
🎯 Exploit Status
Exploitation requires user interaction (visiting a crafted URL) but doesn't require authentication. The attacker needs to trick a user into clicking a malicious link.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.11.5 or 2.12.3
Vendor Advisory: https://github.com/Icinga/icingaweb2/security/advisories/GHSA-c6pg-h955-wf66
Restart Required: No
Instructions:
1. Backup your current Icinga Web 2 installation. 2. Download and install version 2.11.5 (for 2.11.x branch) or 2.12.3 (for 2.12.x branch). 3. Verify the installation completes successfully. 4. Test monitoring functionality.
🔧 Temporary Workarounds
Enable Content Security Policy
allFor Icinga Web 2.12.2 users, enable CSP in application settings to mitigate XSS attacks by restricting script execution.
Navigate to Icinga Web 2 admin interface > Application > Security > Enable Content Security Policy
🧯 If You Can't Patch
- Implement strict Content Security Policy headers at the web server level (Apache/Nginx) to restrict script execution.
- Deploy a Web Application Firewall (WAF) with XSS protection rules to block malicious requests.
🔍 How to Verify
Check if Vulnerable:
Check your Icinga Web 2 version via the web interface footer or configuration files. If version is below 2.11.5 or 2.12.13, you are vulnerable.Check Version:
grep -i version /usr/share/icingaweb2/version.php 2>/dev/null || cat /usr/share/icingaweb2/version.php | grep -i versionVerify Fix Applied:
After patching, verify the version shows 2.11.5 or higher (for 2.11.x) or 2.12.3 or higher (for 2.12.x). Test that monitoring functions work normally.📡 Detection & Monitoring
Log Indicators:
- Unusual URL patterns with JavaScript payloads in access logs
- Multiple failed authentication attempts following suspicious URL visits
- Unexpected configuration changes in monitoring rules
Network Indicators:
- HTTP requests containing suspicious script tags or JavaScript code in URL parameters
- Outbound connections to unknown domains following Icinga Web 2 access
SIEM Query:
source="icingaweb2_access.log" AND (url="*javascript:*" OR url="*<script>*" OR url="*onload=*" OR url="*onerror=*")