CVE-2025-48057
CRITICALIcinga 2 <2.12.12-2.14.6 - Certificate Validation
Title source: llmDescription
Icinga 2 is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Prior to versions 2.12.12, 2.13.12, and 2.14.6, the VerifyCertificate() function can be tricked into incorrectly treating certificates as valid. This allows an attacker to send a malicious certificate request that is then treated as a renewal of an already existing certificate, resulting in the attacker obtaining a valid certificate that can be used to impersonate trusted nodes. This only occurs when Icinga 2 is built with OpenSSL older than version 1.1.0. This issue has been patched in versions 2.12.12, 2.13.12, and 2.14.6.
References (6)
Core 6
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/Icinga/icinga2/security/advisories/GHSA-7vcf-f5v9-3wr6
Patch x_refsource_misc
https://github.com/Icinga/icinga2/commit/34c93a2542bbe4e9886d15bc17ec929ead1aa152
Patch x_refsource_misc
https://github.com/Icinga/icinga2/commit/4023128be42b18a011dda71ddee9ca79955b89cb
Patch x_refsource_misc
https://github.com/Icinga/icinga2/commit/60f75f4a3d5cbb234eb3694ba7e9076a1a5b8776
Patch x_refsource_misc
https://github.com/Icinga/icinga2/commit/9ad5683aab9eb392c6737ff46c830a945c9e240f
Scores
CVSS v3
9.8
EPSS
0.0021
EPSS Percentile
42.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-296
Status
published
Products (1)
icinga/icinga
< 2.12.12
Published
May 27, 2025
Tracked Since
Feb 18, 2026