CVE-2025-48057: 
Icinga vulnerability analysis and mitigation

CVE-2025-48057 affects Icinga 2, a monitoring system that checks network resources availability. The vulnerability was discovered in versions prior to 2.12.12, 2.13.12, and 2.14.6, where the VerifyCertificate() function could incorrectly validate certificates. This vulnerability was disclosed on May 27, 2025, and has been assigned a CVSS v4.0 score of 9.3 (Critical) (GitHub Advisory).

The vulnerability exists in the VerifyCertificate() function when Icinga 2 is built with OpenSSL versions older than 1.1.0. The issue stems from OpenSSL's storage of a valid flag in the certificate structure, which if set, causes certain validation steps to be skipped during subsequent verification operations. This can result in certificates being incorrectly treated as valid even when they aren't properly signed by the trusted CA (GitHub Advisory).

An attacker can exploit this vulnerability by sending a malicious certificate request that gets treated as a renewal of an existing certificate. This allows the attacker to obtain a valid certificate that can be used to impersonate trusted nodes. The exploitation requires a direct TLS connection to a master capable of signing certificates (GitHub Advisory).

The vulnerability has been patched in Icinga 2 versions 2.14.6, 2.13.12, and 2.12.12. Users are advised to upgrade immediately on masters running with OpenSSL 1.0.2 or older. Temporary workarounds include restricting network access to master nodes to trusted entities only, or stopping the master from signing new certificates by renaming the /var/lib/icinga2/ca directory (GitHub Advisory).