CVE-2025-54890
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in Centreon Infra Monitoring allows authenticated users with elevated privileges to inject malicious scripts into the Hostgroup configuration page. When other users view the compromised page, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. The vulnerability affects multiple versions of Centreon Infra Monitoring across different release branches.
💻 Affected Systems
- Centreon Infra Monitoring
📦 What is this software?
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
⚠️ Risk & Real-World Impact
Worst Case
An attacker with elevated privileges could inject persistent malicious scripts that steal administrator credentials, hijack sessions, install backdoors, or pivot to other systems in the monitoring infrastructure.
Likely Case
Privileged users could inadvertently or maliciously inject scripts that steal session cookies or credentials from other administrators viewing the Hostgroup configuration page.
If Mitigated
With proper input validation and output encoding, the injected scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires elevated privileges, reducing attack surface but increasing insider threat risk. No public exploit code identified at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.10.15, 24.04.19, 23.10.29 or later
Vendor Advisory: https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-54890-centreon-web-medium-severity-5342
Restart Required: Yes
Instructions:
1. Backup your Centreon configuration and database. 2. Update to the patched version using your package manager (yum update centreon or apt-get update && apt-get upgrade centreon). 3. Restart Centreon services (systemctl restart centreon). 4. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation and output encoding for Hostgroup configuration fields
# Requires custom code modification - not recommended as primary fix
Privilege Reduction
allTemporarily reduce the number of users with elevated privileges who can access Hostgroup configuration
# Review and modify user roles in Centreon administration interface
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
- Enable web application firewall (WAF) rules specifically blocking XSS patterns in Hostgroup parameters
🔍 How to Verify
Check if Vulnerable:
Check Centreon version via web interface (Administration > About) or command line: rpm -qa | grep centreon-web (RHEL/CentOS) or dpkg -l | grep centreon-web (Debian/Ubuntu)Check Version:
rpm -q centreon-web || dpkg -s centreon-web | grep VersionVerify Fix Applied:
Confirm version is 24.10.15+, 24.04.19+, or 23.10.29+ and test XSS payload injection in Hostgroup configuration fields📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to Hostgroup configurations
- Multiple failed login attempts followed by Hostgroup changes
- Suspicious strings in web access logs containing script tags or JavaScript
Network Indicators:
- Unexpected outbound connections from Centreon server after Hostgroup page access
- Traffic patterns suggesting credential exfiltration
SIEM Query:
source="centreon.log" AND ("Hostgroup" AND ("<script" OR "javascript:" OR "onerror=" OR "onload="))