CVE-2025-61907 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information) affecting Icinga 2, an open-source monitoring system widely used for infrastructure and service monitoring. The flaw exists in versions 2.4 through 2.15.0, where filter expressions submitted to the /v1/objects API endpoints improperly allow authenticated users to access variables and objects beyond their authorized scope. Specifically, users can retrieve global variables and objects that should be restricted by the system's permission model, including those not permitted by variables or objects/query permissions. This occurs because the filtering mechanism does not correctly enforce access controls on the data returned. The vulnerability requires the attacker to have authenticated API access but does not require any additional user interaction, making it easier to exploit once credentials are obtained. The vulnerability does not affect data integrity or system availability but poses a significant confidentiality risk by exposing sensitive configuration or monitoring data that could be leveraged for further attacks or reconnaissance. The issue is resolved in Icinga 2 versions 2.15.1, 2.14.7, and 2.13.13, where access controls on filter expressions have been properly enforced. No known exploits are currently reported in the wild, but the CVSS 4.0 base score of 7.1 (high severity) reflects the potential impact and ease of exploitation given authenticated access.

For European organizations, the primary impact of CVE-2025-61907 is unauthorized disclosure of sensitive monitoring data, which may include configuration details, global variables, or other internal objects that could reveal network topology, credentials, or operational parameters. Such information leakage can facilitate lateral movement, privilege escalation, or targeted attacks by adversaries who gain authenticated API access. Organizations relying on Icinga 2 for critical infrastructure monitoring, including utilities, financial institutions, and government agencies, face increased risk of espionage or sabotage. The exposure of sensitive information could also violate data protection regulations such as GDPR if personal or operational data is inadvertently disclosed. While the vulnerability does not directly compromise system integrity or availability, the confidentiality breach alone can have severe operational and reputational consequences.

European organizations should immediately upgrade all affected Icinga 2 instances to the fixed versions 2.15.1, 2.14.7, or 2.13.13 as applicable. Until patching is complete, restrict API access to trusted users and networks, enforce strict authentication and authorization policies, and audit API user permissions to ensure least privilege. Implement monitoring and alerting for unusual API queries or access patterns that could indicate exploitation attempts. Review and harden the configuration of Icinga 2’s API endpoints, disabling or limiting filter expression capabilities if possible. Conduct regular security assessments and penetration tests focusing on API access controls. Additionally, consider network segmentation to isolate monitoring infrastructure and reduce the attack surface. Maintain an inventory of all Icinga 2 deployments and ensure timely application of security updates.