CVE-2025-23203 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information) and CWE-284 (Improper Access Control) found in the Icinga icingaweb2-module-director, a configuration deployment tool for Icinga monitoring. The flaw exists in several REST API endpoints where authenticated users with Director access and API permissions can bypass access restrictions. Specifically, users restricted from accessing certain configuration objects can still retrieve sensitive information about these objects if they know their names. This is due to insufficient enforcement of access controls on endpoints such as icingaweb2/director/service (when host name is omitted), notification, serviceset, and scheduled-downtime. Additionally, the services endpoint returns a 200 status code even when the queried host is filtered, revealing the existence of hosts to unauthorized users. This information leakage can enable attackers to map infrastructure, identify targets, and potentially modify configurations, escalating privileges or causing data breaches. The vulnerability affects versions from 1.0.0 up to but not including 1.10.4 and from 1.11.0 up to but not including 1.11.4. Exploitation requires authenticated users with API access, but no user interaction beyond authentication is needed. The CVSS v3.1 base score is 5.5 (medium), reflecting high confidentiality impact, low integrity impact, no availability impact, network attack vector, low attack complexity, and high privileges required. No known exploits are reported in the wild yet. Mitigation involves upgrading to patched versions 1.10.4 or 1.11.4 or restricting Director module access to admin roles only until patches can be applied.

For European organizations using Icinga with the Director module, this vulnerability poses a risk of unauthorized disclosure of sensitive configuration data and infrastructure details to authenticated but unauthorized users. This can lead to information leakage that aids attackers in reconnaissance and targeted attacks, potentially resulting in configuration tampering, privilege escalation, and data breaches. Organizations relying on Icinga for critical infrastructure monitoring and configuration management may face operational risks if attackers exploit this flaw to alter monitoring configurations or suppress alerts. The impact is heightened in sectors with stringent data protection requirements such as finance, healthcare, and critical infrastructure, where unauthorized access to monitoring configurations could facilitate further attacks or compliance violations. Since exploitation requires authenticated access, insider threats or compromised credentials are primary risk vectors. The vulnerability could also undermine trust in monitoring systems and complicate incident response if attackers manipulate monitoring data or schedules.

1. Upgrade affected Icinga Director module versions to 1.10.4 or 1.11.4 immediately to apply official patches addressing the vulnerability. 2. Until patching is feasible, restrict access to the Director module strictly to users with admin roles; disable Director module access for all other users to prevent unauthorized API access. 3. Implement strong authentication mechanisms and enforce least privilege principles to limit the number of users with Director and API access. 4. Monitor API access logs for unusual queries or access patterns that may indicate attempts to enumerate hosts or services. 5. Conduct regular audits of user permissions within Icinga Director to ensure no unauthorized privilege escalation is possible. 6. Consider network segmentation and firewall rules to limit API endpoint exposure to trusted networks and users only. 7. Educate administrators and users about the risks of credential compromise and enforce multi-factor authentication where possible. 8. Integrate vulnerability scanning and configuration management tools to detect outdated Icinga Director versions and unauthorized configuration changes.