CVE-2025-61908: 
Icinga vulnerability analysis and mitigation

Icinga 2, an open source monitoring system, was found to contain a vulnerability (CVE-2025-61908) affecting versions from 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13. The vulnerability was discovered and disclosed on October 16, 2025, involving a null pointer dereference issue that could lead to a denial of service condition (GitHub Advisory, NVD).

The vulnerability is classified as a NULL Pointer Dereference (CWE-476) that occurs when creating an invalid reference, such as a reference to null, which results in a segmentation fault when dereferenced. The vulnerability has been assigned a CVSS v4.0 base score of 7.1 (High), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N, indicating network accessibility with low attack complexity and requiring low privileges (GitHub Advisory).

The vulnerability allows any authenticated API user with access to an API endpoint that accepts filter expressions to crash the Icinga 2 daemon, resulting in a denial of service condition. This affects the availability of the monitoring system while maintaining no direct impact on confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in Icinga 2 versions 2.15.1, 2.14.7, and 2.13.13. As a workaround, API access can be limited to trusted users only, though this may not be practical in all cases as it would require removing permissions from users that grant access to endpoints accepting filter expressions. Users relying on restricted access for unprivileged API users are advised to update immediately (Icinga Blog).