CVE-2025-48057: 
Icinga vulnerability analysis and mitigation

Icinga 2, a monitoring system for network resources, was found to contain a critical vulnerability (CVE-2025-48057) disclosed on May 27, 2025. The vulnerability affects versions prior to 2.12.12, 2.13.12, and 2.14.6, specifically when built with OpenSSL versions older than 1.1.0. The issue resides in the VerifyCertificate() function, which can incorrectly validate certificates (GitHub Advisory, NVD).

The vulnerability stems from OpenSSL's storage of a valid flag in the certificate structure when using versions older than 1.1.0. If this flag is set, certain validation steps are skipped during subsequent verification operations, causing certificates to be incorrectly treated as valid even when they aren't properly signed by the trusted CA. The issue has been assigned a CVSS v4.0 score of 9.3 (Critical) (GitHub Advisory, Wiz).

An attacker can exploit this vulnerability by sending a malicious certificate request that gets treated as a renewal of an existing certificate. This allows the attacker to obtain a valid certificate that can be used to impersonate trusted nodes. The exploitation requires a direct TLS connection to a master capable of signing certificates (GitHub Advisory, Wiz).

The vulnerability has been patched in Icinga 2 versions 2.14.6, 2.13.12, and 2.12.12. Users are advised to upgrade immediately on masters running with OpenSSL 1.0.2 or older. Temporary workarounds include restricting network access to master nodes to trusted entities only, or stopping the master from signing new certificates by renaming the /var/lib/icinga2/ca directory. However, the latter is only a short-term solution as certificates will eventually expire (GitHub Advisory).