CVE-2025-61909

Name: CVE-2025-61909
Creator: NVD / NIST
Published: 2025-10-16T18:15:38.427+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 4/10EPSS 0.20%

Last modified Jun 17, 2026

CVE-2025-61909 is a medium-severity vulnerability rated 4/10 on the CVSS scale. Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, the safe-reload script (also used during systemctl reload icinga2) and logrotate configuration shipped with Icinga 2 read the PID of the main Icinga 2 process from a PID file writable by the daemon user, but send the signal as the root user. EPSS estimates a 0.20% chance of exploitation in the next 30 days.

Description

Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, the safe-reload script (also used during systemctl reload icinga2) and logrotate configuration shipped with Icinga 2 read the PID of the main Icinga 2 process from a PID file writable by the daemon user, but send the signal as the root user. This can allow the Icinga user to send signals to processes it would otherwise not permitted to. A fix is included in the following Icinga 2 versions: 2.15.1, 2.14.7, and 2.13.13.

Metrics

CVSS 3.1

4.4/10

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0

4/10

CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

0.20%

9.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-250

Affected Software

Vendor	Product	Versions
Icinga	Icinga	>= 2.10.0, < 2.13.13
Icinga	Icinga	>= 2.14.0, < 2.14.7
Icinga	Icinga	2.15.0

References

https://github.com/Icinga/icinga2/commit/51ec73cbd922a76fc0f60e1d8d33acd7caa5d587Patch
https://github.com/Icinga/icinga2/issues/10527Issue Tracking
https://github.com/Icinga/icinga2/security/advisories/GHSA-pg6g-g99v-mw46Patch, Vendor Advisory
https://icinga.com/blog/releasing-icinga-2-v2-15-1-2-14-7-and-2-13-13-and-icinga-db-web-v1-2-3-and-1-1-4Release Notes

Timeline

Published: Oct 16, 2025
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2025-61909?

How severe is CVE-2025-61909?

CVE-2025-61909 has a CVSS score of 4/10 (MEDIUM severity). The EPSS model estimates a 0.20% probability of exploitation in the next 30 days.

How do I fix CVE-2025-61909?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-61909?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST