CVE-2025-54889 – This stored XSS vulnerability in Centreon Infra... (How to Fix)

Q: What is the severity of CVE-2025-54889?

CVE-2025-54889 has a CVSS score of 6.8 (MEDIUM). This stored XSS vulnerability in Centreon Infra Monitoring allows attackers with elevated privileges to inject malicious scripts into SNMP trap manufacturer configuration pages. When other users view these pages, the scripts execute in their browsers, potentially compromising their sessions or performing unauthorized actions. The vulnerability affects Centreon Infra Monitoring installations running specific vulnerable versions.

📋 TL;DR

This stored XSS vulnerability in Centreon Infra Monitoring allows attackers with elevated privileges to inject malicious scripts into SNMP trap manufacturer configuration pages. When other users view these pages, the scripts execute in their browsers, potentially compromising their sessions or performing unauthorized actions. The vulnerability affects Centreon Infra Monitoring installations running specific vulnerable versions.

💻 Affected Systems

Products:

Centreon Infra Monitoring

Versions: 24.10.0 to 24.10.12, 24.04.0 to 24.04.17, 23.10.0 to 23.10.27

Operating Systems: All supported platforms running Centreon

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects SNMP traps manufacturer configuration modules; requires user with elevated privileges to exploit.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Privileged attacker compromises administrator accounts, steals session tokens, gains full system control, and pivots to other systems in the network.

🟠

Likely Case

Malicious insider or compromised privileged account performs session hijacking, data theft, or modifies monitoring configurations to hide malicious activity.

🟢

If Mitigated

Limited to privilege escalation among existing users, with minimal impact if proper input validation and output encoding are implemented.

🌐 Internet-Facing: MEDIUM - Requires authenticated privileged access, but if exposed to internet, increases attack surface for credential-based attacks.

🏢 Internal Only: HIGH - Internal privileged users pose significant risk; insider threats or compromised accounts could exploit this effectively.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated privileged access; stored XSS payload must be injected into specific configuration fields.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 24.10.13, 24.04.18, 23.10.28

Vendor Advisory: https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-54889-centreon-web-all-versions-medium-severity-5123

Restart Required: No

Instructions:

1. Backup your Centreon configuration and database. 2. Update to patched version via package manager (yum update centreon or apt upgrade centreon). 3. Verify update completed successfully. 4. Test SNMP trap manufacturer configuration functionality.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation for SNMP trap manufacturer configuration fields to reject suspicious characters.

# Review and enhance input validation in affected PHP files
# Add HTML entity encoding for output in configuration display pages

🧯 If You Can't Patch

Restrict privileged access to SNMP trap configuration modules to only essential personnel
Implement web application firewall (WAF) rules to detect and block XSS payloads in POST requests

🔍 How to Verify

Check if Vulnerable:

Check Centreon version via web interface (Administration > Parameters > Centreon) or command: rpm -qa | grep centreon-web

Check Version:

rpm -q centreon-web || dpkg -l | grep centreon-web

Verify Fix Applied:

Confirm version is 24.10.13, 24.04.18, or 23.10.28 or higher; test SNMP trap manufacturer configuration for proper input sanitization.

📡 Detection & Monitoring

Log Indicators:

Unusual modifications to SNMP trap manufacturer configurations
Multiple failed login attempts followed by successful privileged access

Network Indicators:

HTTP POST requests containing script tags or JavaScript in SNMP configuration parameters

SIEM Query:

source="centreon.log" AND ("SNMP trap" OR "manufacturer configuration") AND ("<script>" OR "javascript:" OR "onerror=")

📊 Metadata

CVE ID: CVE-2025-54889

CVSS v3 Score: 6.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-79

EPSS Score: 0.01% exploit probability (1.8th percentile)

Published: October 14, 2025

Last Updated: October 21, 2025

🔗 References

https://github.com/centreon/centreon/releases Release Notes
https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-54889-centreon-web-all-versions-medium-severity-5123 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54889, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Centreon Web by Centreon

Centreon Web by Centreon

Centreon Web by Centreon

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input Validation Enhancement

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities