CVE-2025-3872
📋 TL;DR
This SQL injection vulnerability in Centreon's web interface allows high-privileged users to become administrators by manipulating contact form requests. It affects Centreon monitoring software across multiple versions. Attackers can execute arbitrary SQL commands through the user configuration form.
💻 Affected Systems
- Centreon centreon-web
📦 What is this software?
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Centreon system, allowing attackers to gain administrative privileges, access sensitive monitoring data, and potentially pivot to other systems in the network.
Likely Case
Privilege escalation where authenticated users with high privileges gain administrative access, potentially leading to unauthorized configuration changes and data access.
If Mitigated
Limited impact if proper input validation and parameterized queries are implemented, restricting SQL injection attempts.
🎯 Exploit Status
Exploitation requires authenticated access with high privileges; involves intercepting and modifying HTTP requests to the contact form.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.10.28, 23.04.25, 23.10.20, 24.04.10, 24.10.4
Vendor Advisory: https://thewatch.centreon.com/latest-security-bulletins-64/cve-2024-55571-centreon-web-high-severity-4496
Restart Required: Yes
Instructions:
1. Backup your Centreon configuration and database. 2. Update Centreon to the patched version using your package manager (yum update centreon or apt update centreon). 3. Restart Centreon services (systemctl restart centreon). 4. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation Enhancement
linuxImplement additional input validation for the contact form parameters to reject suspicious SQL patterns.
Web Application Firewall Rules
allDeploy WAF rules to block SQL injection patterns targeting the contact form endpoints.
🧯 If You Can't Patch
- Restrict network access to Centreon web interface to trusted IP addresses only.
- Implement strict least-privilege access controls and monitor user activities for unusual privilege escalation attempts.
🔍 How to Verify
Check if Vulnerable:
Check Centreon version using 'rpm -q centreon' or 'dpkg -l | grep centreon' and compare against affected versions.Check Version:
rpm -q centreon-web || dpkg -l | grep centreon-webVerify Fix Applied:
Verify the installed version matches or exceeds the patched versions: 22.10.28, 23.04.25, 23.10.20, 24.04.10, or 24.10.4.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by privilege changes
- HTTP requests with SQL patterns to /centreon/include/configuration/configObject/contact/* endpoints
Network Indicators:
- HTTP POST requests to contact form endpoints containing SQL keywords (UNION, SELECT, INSERT, etc.)
- Unexpected privilege escalation traffic
SIEM Query:
source="centreon-web" AND (url="*contact*" AND (method="POST" OR method="PUT") AND (payload="*UNION*" OR payload="*SELECT*" OR payload="*INSERT*"))