CVE-2025-48057

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-48057
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48057.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-48057
Aliases
  • GHSA-7vcf-f5v9-3wr6
Downstream
Related
Published
2025-05-27T16:32:29.931Z
Modified
2026-04-10T05:28:06.152877Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L CVSS Calculator
Summary
Icinga 2 certificate renewal might incorrectly renew an invalid certificate
Details

Icinga 2 is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Prior to versions 2.12.12, 2.13.12, and 2.14.6, the VerifyCertificate() function can be tricked into incorrectly treating certificates as valid. This allows an attacker to send a malicious certificate request that is then treated as a renewal of an already existing certificate, resulting in the attacker obtaining a valid certificate that can be used to impersonate trusted nodes. This only occurs when Icinga 2 is built with OpenSSL older than version 1.1.0. This issue has been patched in versions 2.12.12, 2.13.12, and 2.14.6.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/48xxx/CVE-2025-48057.json",
    "cwe_ids": [
        "CWE-296"
    ]
}
References

Affected packages

Git / github.com/icinga/icinga2

Affected ranges

Type
GIT
Repo
https://github.com/icinga/icinga2
Events
Introduced
0d5802937ba274fd3b9e13a48c4638cc104ad577
Fixed
e4d2788f0869808bccea67a041a347c4c6bc237b
Database specific 
{
    "versions": [
        {
            "introduced": "2.14.0"
        },
        {
            "fixed": "2.14.6"
        }
    ]
}
Type
GIT
Repo
https://github.com/icinga/icinga2
Events
Introduced
aaccd0448feff8769b3c825c5c13b9fd6fbeed27
Fixed
ec09daa4a4e7ac400417eb6e3c762bd84bd73f80
Database specific 
{
    "versions": [
        {
            "introduced": "2.13.0"
        },
        {
            "fixed": "2.13.12"
        }
    ]
}
Type
GIT
Repo
https://github.com/icinga/icinga2
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
a0ec7f6b2fc7d4caa050f7e353e4f53f1bc140b7
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.12.12"
        }
    ]
}

Affected versions

v0.*
v0.0.1
v0.0.10
v0.0.11
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v2.*
v2.0.0
v2.0.0-beta1
v2.0.0-beta2
v2.0.1
v2.0.2
v2.1.0
v2.1.1
v2.10.0
v2.10.1
v2.11.0
v2.11.0-rc1
v2.12.0
v2.12.0-rc1
v2.12.1
v2.12.10
v2.12.2
v2.12.3
v2.12.4
v2.12.7
v2.12.8
v2.12.9
v2.13.0
v2.13.11
v2.13.2
v2.13.3
v2.13.4
v2.13.5
v2.13.6
v2.13.7
v2.13.8
v2.13.9
v2.14.0
v2.14.1
v2.14.2
v2.14.4
v2.14.5
v2.2.0
v2.3.0
v2.4.0
v2.5.0
v2.6.0
v2.6.1
v2.7.0
v2.9.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48057.json"