CVE-2025-61909

Name	CVE-2025-61909
Description	Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, the safe-reload script (also used during systemctl reload icinga2) and logrotate configuration shipped with Icinga 2 read the PID of the main Icinga 2 process from a PID file writable by the daemon user, but send the signal as the root user. This can allow the Icinga user to send signals to processes it would otherwise not permitted to. A fix is included in the following Icinga 2 versions: 2.15.1, 2.14.7, and 2.13.13.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
icinga2 (PTS)	bullseye	2.12.3-1	vulnerable
	bullseye (security)	2.12.3-1+deb11u1	vulnerable
	bookworm	2.13.6-2+deb12u2	vulnerable
	trixie	2.14.6-1	vulnerable
	forky, sid	2.15.1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
icinga2	source	(unstable)	2.15.1-1

Notes

[bullseye] - icinga2 <postponed> (Minor issue, requires a compromised icinga/nagios system user)
https://github.com/Icinga/icinga2/security/advisories/GHSA-pg6g-g99v-mw46
https://github.com/Icinga/icinga2/issues/10527
https://github.com/Icinga/icinga2/commit/51ec73cbd922a76fc0f60e1d8d33acd7caa5d587
https://icinga.com/blog/releasing-icinga-2-v2-15-1-2-14-7-and-2-13-13-and-icinga-db-web-v1-2-3-and-1-1-4/