CVE-2025-27404
Published: 26 March 2025
Summary
CVE-2025-27404 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Icinga Icinga Web 2. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the XSS vulnerability by identifying, reporting, and applying patches to upgrade Icinga Web 2 to fixed versions 2.11.5 or 2.12.13.
Prevents execution of embedded JavaScript from malicious URLs by filtering outputs to web pages, including enabling Content Security Policy as a workaround.
Blocks crafted malicious URLs containing arbitrary JavaScript by validating all information inputs to the web interface.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The reflected XSS vulnerability in the public-facing Icinga Web 2 application directly enables injection of arbitrary JavaScript that executes in the victim's authenticated browser session.
NVD Description
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary…
more
Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.
Deeper analysisAI
CVE-2025-27404 is a cross-site scripting (XSS) vulnerability (CWE-79) affecting Icinga Web 2, an open source monitoring web interface, framework, and command-line interface. Versions prior to 2.11.5 and 2.12.13 are vulnerable, enabling an attacker to craft a malicious URL that embeds arbitrary JavaScript into the Icinga Web interface when visited by any user. The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H) and was published on 2025-03-26.
An attacker with high privileges can exploit this issue over the network by tricking any user into visiting the crafted URL, which requires user interaction and involves high attack complexity. Successful exploitation allows the embedded JavaScript to execute in the context of the victim's session, enabling the attacker to act on behalf of that user and potentially achieve high confidentiality, integrity, and availability impacts across the changed scope.
Mitigation is available through upgrading to Icinga Web 2 versions 2.11.5 or 2.12.3, which resolve the issue. For installations on version 2.12.2, a workaround exists by enabling a content security policy in the application settings. Additional details are provided in the Icinga security advisory (GHSA-c6pg-h955-wf66) and release notes for the patched versions.
Details
- CWE(s)