CVE-2025-27405
Published: 26 March 2025
Summary
CVE-2025-27405 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Icinga Icinga Web 2. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the XSS vulnerability by requiring timely patching of affected Icinga Web 2 versions to versions 2.11.5 or 2.12.13.
Prevents execution of injected JavaScript by filtering information outputs, aligning with the Content Security Policy workaround for blocking arbitrary script embedding.
Blocks malicious URLs crafted by high-privilege attackers by validating inputs to the web interface, stopping XSS exploitation before script injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS vuln enables arbitrary JS injection/execution via malicious URL in web app (T1190), direct JS code execution (T1059.007), and acting on behalf of victim via session context (T1185).
NVD Description
Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary…
more
Javascript into Icinga Web and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings.
Deeper analysisAI
CVE-2025-27405 is a cross-site scripting (XSS) vulnerability (CWE-79) affecting Icinga Web 2, an open source monitoring web interface, framework, and command-line interface. Versions prior to 2.11.5 and 2.12.13 are vulnerable, enabling an attacker to craft a malicious URL that embeds arbitrary JavaScript into the Icinga Web interface when visited by a user. The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H).
An attacker with high privileges (PR:H) can exploit this by crafting a URL that requires a user to visit it (UI:R), such as through social engineering like phishing or shared links. Once visited over the network (AV:N), the embedded JavaScript executes in the context of the victim's session, allowing the attacker to act on behalf of that user. This can lead to high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) with elevated scope (S:C), potentially enabling unauthorized actions based on the victim's permissions.
The issue is resolved in Icinga Web 2 versions 2.11.5 and 2.12.3, as detailed in the project's release notes and security advisory (GHSA-3x37-fjc3-ch8w). As a workaround for version 2.12.2, administrators can enable a content security policy in the application settings. Security practitioners should prioritize patching affected installations and review access controls for privileged users.
Details
- CWE(s)