CVE-2025-53840 LOW

CVE-2025-53840: Icinga DB Web Exposure of Sensitive Information to an Unauthorized Actor vulnerability

Vendor Icinga

Product icingadb-web

Weakness CWE-200 · Info exposure

Published July 16, 2025

Last update July 18, 2025

View on NVD All CVEs

CVSS base score

2.4/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren't meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host's or service's detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3.

Key dates

02Disclosure timeline

July 16, 2025 CVE published

July 18, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-53840 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

CVE-2025-53840: Icinga DB Web Exposure of Sensitive Information to an Unauthorized Actor vulnerability

01Description

02Disclosure timeline

03References

04Related CVE