CVE-2025-61909

16.10.2025, 18:15

Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, the safe-reload script (also used during systemctl reload icinga2) and logrotate configuration shipped with Icinga 2 read the PID of the main Icinga 2 process from a PID file writable by the daemon user, but send the signal as the root user. This can allow the Icinga user to send signals to processes it would otherwise not permitted to. A fix is included in the following Icinga 2 versions: 2.15.1, 2.14.7, and 2.13.13.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.4 MEDIUM	LOCAL	LOW	HIGH	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
GitHub_M	CNA	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Vendor	Product	Version
icinga	icinga	2.10.0 ≤ 𝑥 < 2.13.13
icinga	icinga	2.14.0 ≤ 𝑥 < 2.14.7
icinga	icinga	2.15.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

icinga2

bullseye	postponed
trixie	no-dsa
bookworm	no-dsa
bullseye (security)	vulnerable
forky	2.15.1-1 fixed
sid	2.15.1-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

icinga2

questing	needs-triage
plucky	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

Common Weakness Enumeration

CWE-250 - Execution with Unnecessary Privileges
The software performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

References

https://github.com/Icinga/icinga2/commit/51ec73cbd922a76fc0f60e1d8d33acd7caa5d587

https://github.com/Icinga/icinga2/issues/10527

https://github.com/Icinga/icinga2/security/advisories/GHSA-pg6g-g99v-mw46

https://icinga.com/blog/releasing-icinga-2-v2-15-1-2-14-7-and-2-13-13-and-icinga-db-web-v1-2-3-and-1-1-4