CVE-2025-61907
📋 TL;DR
This vulnerability allows authenticated API users in Icinga 2 to bypass permission restrictions and access sensitive information they shouldn't have access to. Attackers can exploit filter expressions in API endpoints to view global variables and objects hidden by permissions. All Icinga 2 installations with API access are affected.
💻 Affected Systems
- Icinga 2
📦 What is this software?
Icinga by Icinga
Icinga by Icinga
Icinga by Icinga
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full visibility into monitoring infrastructure, including sensitive configuration data, credentials in variables, and all monitored objects, potentially enabling further attacks.
Likely Case
Unauthorized access to sensitive monitoring data, configuration details, and potentially credential information stored in global variables.
If Mitigated
Limited information disclosure if strict network segmentation and minimal API permissions are already in place.
🎯 Exploit Status
Requires authenticated API access. Attackers need valid credentials but can then bypass permission checks using crafted filter expressions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.15.1, 2.14.7, or 2.13.13
Vendor Advisory: https://github.com/Icinga/icinga2/security/advisories/GHSA-gg32-w9rm-vp2v
Restart Required: No
Instructions:
1. Identify your current Icinga 2 version. 2. Upgrade to 2.15.1, 2.14.7, or 2.13.13 based on your maintenance branch. 3. Verify the upgrade completed successfully. 4. No service restart required for patch application.
🔧 Temporary Workarounds
Restrict API Access
allLimit API access to trusted networks and users only
# Configure firewall rules to restrict access to Icinga API port (default 5665)
# Example: iptables -A INPUT -p tcp --dport 5665 -s trusted_network -j ACCEPT
# Example: iptables -A INPUT -p tcp --dport 5665 -j DROP
Minimize API Permissions
allReduce API user permissions to minimum required
# Review and tighten API user permissions in Icinga configuration
# Example: object ApiUser "limited_user" { password = "secret", permissions = [ "objects/query/host" ] }
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Icinga API from untrusted networks
- Review and audit all API user accounts, removing unnecessary accounts and minimizing permissions
🔍 How to Verify
Check if Vulnerable:
Check Icinga 2 version and compare against affected range (2.4-2.15.0)Check Version:
icinga2 --versionVerify Fix Applied:
Verify version is 2.15.1, 2.14.7, or 2.13.13 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual API query patterns
- Multiple failed permission checks followed by successful queries
- API requests with complex filter expressions
Network Indicators:
- Unusual volume of API requests to /v1/objects endpoints
- API requests from unexpected sources
SIEM Query:
source="icinga2" AND (uri_path="/v1/objects/*" AND (filter_expression CONTAINS "*" OR response_size > threshold))