Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12.
In Icinga 2, starting from version 2.4.0, the TLS certificate verification mechanism (CWE-295 — improper certificate validation) was implemented with flaws. An attacker can present an invalid or forged TLS certificate that will be incorrectly accepted by the system. This enables impersonation of both trusted nodes in the Icinga cluster and ApiUser objects that use TLS client certificates (with the client_cn attribute set) for API authentication.
An attacker can take full control over Icinga cluster communication and gain unauthorized access to the API with privileges of impersonated users, leading to violations of confidentiality, integrity, and availability of the monitoring system.
Icinga 2 should be updated to version v2.14.3, v2.13.10, v2.12.11, or v2.11.12 — depending on the branch in use. Patches are available in the vendor's GitHub repository.
Icinga 2 in versions 2.4.0 and above (before patches: v2.14.3, v2.13.10, v2.12.11, v2.11.12); also affects installations on Debian Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDebian
OSDebian11.0Icinga
APPIcinga2.4.0 – 2.11.12 (bez)2.12.0 – 2.12.11 (bez)2.13.0 – 2.13.10 (bez)2.14.0 – 2.14.3 (bez)
Related vulnerabilities
GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)
Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki