CVE-2025-61908
📋 TL;DR
This vulnerability in Icinga 2 allows any authenticated API user to crash the monitoring daemon by creating invalid references (like null references) in filter expressions. It affects Icinga 2 versions 2.10.0 through 2.15.0, 2.14.6 and earlier, and 2.13.12 and earlier. Organizations using vulnerable versions with API access enabled are at risk of service disruption.
💻 Affected Systems
- Icinga 2
📦 What is this software?
Icinga by Icinga
Icinga by Icinga
Icinga by Icinga
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for the Icinga 2 monitoring system, potentially disrupting monitoring of critical infrastructure and services.
Likely Case
Temporary service disruption requiring daemon restart, causing monitoring gaps until service is restored.
If Mitigated
Minimal impact if API access is restricted to trusted users only and proper network segmentation is in place.
🎯 Exploit Status
Requires authenticated API access and knowledge of how to craft malicious filter expressions. No public exploit code has been released.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.15.1, 2.14.7, or 2.13.13
Vendor Advisory: https://github.com/Icinga/icinga2/security/advisories/GHSA-v9jg-xqhj-f43g
Restart Required: Yes
Instructions:
1. Identify your current Icinga 2 version. 2. Upgrade to the patched version matching your release track (2.15.1, 2.14.7, or 2.13.13). 3. Restart the Icinga 2 daemon. 4. Verify the upgrade was successful.
🔧 Temporary Workarounds
Restrict API Access
allLimit API endpoint access to only trusted users and networks using firewall rules and authentication controls.
Disable Unnecessary API Endpoints
allDisable API endpoints that allow filter expressions if they are not required for your monitoring setup.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Icinga 2 API endpoints from untrusted networks.
- Enforce strong authentication and authorization controls for all API users, limiting access to minimum required privileges.
🔍 How to Verify
Check if Vulnerable:
Check Icinga 2 version with 'icinga2 --version' and compare against affected versions. Also verify API endpoint accessibility.Check Version:
icinga2 --versionVerify Fix Applied:
After patching, confirm version shows 2.15.1, 2.14.7, or 2.13.13 or higher. Test API functionality to ensure normal operation.📡 Detection & Monitoring
Log Indicators:
- Segmentation fault errors in Icinga 2 logs
- Unexpected daemon crashes or restarts
- Suspicious API requests with complex filter expressions
Network Indicators:
- Unusual API traffic patterns from unexpected sources
- Multiple failed API requests followed by service disruption
SIEM Query:
source="icinga2.log" AND ("segmentation fault" OR "segfault" OR "daemon crashed")