Cyber Resilience

CVE-2025-27404

High

Published: 26 March 2025

Published
26 March 2025
Modified
01 August 2025
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0011 28.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27404 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Icinga Icinga Web 2. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-27404 is a cross-site scripting (XSS) vulnerability (CWE-79) affecting Icinga Web 2, an open source monitoring web interface, framework, and command-line interface. Versions prior to 2.11.5 and 2.12.13 are vulnerable, enabling an attacker to craft a malicious URL that embeds arbitrary JavaScript into the Icinga Web interface when visited by any user. The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H) and was published on 2025-03-26.

An attacker with high privileges can exploit this issue over the network by tricking any user into visiting the crafted URL, which requires user interaction and involves high attack complexity. Successful exploitation allows the embedded JavaScript to execute in the context of the victim's session, enabling the attacker to act on behalf of that user and potentially achieve high confidentiality, integrity, and availability impacts across the changed scope.

Mitigation is available through upgrading to Icinga Web 2 versions 2.11.5 or 2.12.3, which resolve the issue. For installations on version 2.12.2, a workaround exists by enabling a content security policy in the application settings. Additional details are provided in the Icinga security advisory (GHSA-c6pg-h955-wf66) and release notes for the patched versions.

EU & UK References

Vulnerability details

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary…

more

Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

The reflected XSS vulnerability in the public-facing Icinga Web 2 application directly enables injection of arbitrary JavaScript that executes in the victim's authenticated browser session.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-27405Same product: Icinga Icinga Web 2
CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79
CVE-2025-30349Shared CWE-79

Affected Assets

icinga
icinga web 2
≤ 2.11.5 · 2.12.0 — 2.12.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the XSS vulnerability by identifying, reporting, and applying patches to upgrade Icinga Web 2 to fixed versions 2.11.5 or 2.12.13.

prevent

Prevents execution of embedded JavaScript from malicious URLs by filtering outputs to web pages, including enabling Content Security Policy as a workaround.

prevent

Blocks crafted malicious URLs containing arbitrary JavaScript by validating all information inputs to the web interface.

References