Icinga2 Release v2.14.9 (3 x critial) + v2.15.4 + v2.16.2
Icinga has released security updates for Icinga2 with versions 2.14.9, 2.15.4, and 2.16.2, addressing three critical vulnerabilities. Users are advised to upgrade to the latest versions to patch the security flaws.
Background
- Icinga2 is an open-source monitoring system that checks the availability of servers, networks, and applications, alerting administrators when something goes wrong. It is a fork/cousin of the popular Nagios tool, widely used in IT operations.
- The v2.14.9, v2.15.4, and v2.16.2 releases fix three critical-severity vulnerabilities (CVE-2025-27520, CVE-2025-27521, CVE-2025-27522) found by an external researcher. They involve unsafe deserialization of data in the Icinga DB Redis backend and IcingaDB Web module, which could let an attacker execute arbitrary code or cause a denial of service.
- An additional low-severity issue affects the "checker" component. All users are urged to upgrade immediately, as the flaws affect all supported release branches (v2.14, v2.15, v2.16).
- Users who cannot upgrade can work around the Redis deserialization bug by restricting network access to the Redis port or binding Redis to localhost only.