CVE-2025-61907

MEDIUM

Icinga < 2.13.13 - Information Disclosure

Title source: rule

Description

Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could access variables or objects that would otherwise be inaccessible for the user. This allows authenticated API users to learn information that should be hidden from them, including global variables not permitted by the variables permission and objects not permitted by the corresponding objects/query permissions. The vulnerability is fixed in versions 2.15.1, 2.14.7, and 2.13.13.

References (2)

[Patch, Vendor Advisory] https://github.com/Icinga/icinga2/security/advisories/GHSA-gg32-w9rm-vp2v

[Patch] https://github.com/Icinga/icinga2/commit/56255ac7a689b9e198742d2fca6f7459a54c85a3

View Patch ZIP pw:eip

Scores

CVSS v3 6.5

EPSS 0.0004

EPSS Percentile 12.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-749 CWE-204 CWE-200

Status published

Products (2)

icinga/icinga 2.15.0

icinga/icinga 2.4.0 - 2.13.13

Published Oct 16, 2025

Tracked Since Feb 18, 2026