CVE-2025-4649
📋 TL;DR
A privilege escalation vulnerability in Centreon web allows users with lower privileges to view event logs that should require high privileges. This occurs because Access Control Lists (ACLs) are not properly enforced on the event logs page. Affected users are those running vulnerable versions of Centreon web.
💻 Affected Systems
- Centreon web
📦 What is this software?
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
⚠️ Risk & Real-World Impact
Worst Case
An authenticated low-privilege user gains unauthorized access to sensitive event logs containing system information, configuration details, or security events, potentially enabling further attacks.
Likely Case
Low-privilege users can view audit logs and system events they shouldn't have access to, violating security boundaries and potentially exposing sensitive operational data.
If Mitigated
With proper network segmentation and monitoring, the impact is limited to unauthorized log viewing without direct system compromise.
🎯 Exploit Status
Exploitation requires authenticated access to the Centreon web interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.10.4, 24.04.10, 23.10.21, 23.04.26
Vendor Advisory: https://thewatch.centreon.com/latest-security-bulletins-64/centreon-web-medium-severity-4349
Restart Required: Yes
Instructions:
1. Backup your Centreon installation. 2. Update to the patched version using your package manager (yum update centreon-web or apt upgrade centreon-web). 3. Restart Centreon services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Event Logs Page Access
linuxTemporarily restrict access to the event logs page via web server configuration or firewall rules.
# Example Apache mod_authz_core rule: <Location "/centreon/main.php?p=501"> Require valid-user Require group admin-group </Location>
🧯 If You Can't Patch
- Implement strict network segmentation to limit Centreon web access to authorized users only.
- Increase monitoring of event log access and implement alerting for unusual access patterns.
🔍 How to Verify
Check if Vulnerable:
Check Centreon web version via web interface (Administration > Parameters > Centreon) or command: rpm -q centreon-web or dpkg -l centreon-webCheck Version:
rpm -q centreon-web 2>/dev/null || dpkg -l centreon-web 2>/dev/null | grep centreon-webVerify Fix Applied:
Verify version is updated to patched version and test that low-privilege users cannot access event logs page.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to event logs page (main.php?p=501)
- Users with non-admin roles accessing event logs
Network Indicators:
- HTTP requests to /centreon/main.php?p=501 from non-admin users
SIEM Query:
source="centreon" AND (url="*main.php?p=501*" OR path="*main.php?p=501*") AND user_role!="admin"