CVE-2025-5965
📋 TL;DR
This vulnerability allows authenticated users with high privileges to inject arbitrary operating system commands through backup configuration parameters in Centreon Infra Monitoring. Successful exploitation could lead to remote code execution on the underlying server. Affected versions include Centreon Infra Monitoring from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, and from 24.04.0 before 24.04.19.
💻 Affected Systems
- Centreon Infra Monitoring
📦 What is this software?
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining root-level access to execute arbitrary commands, install malware, exfiltrate sensitive data, or pivot to other systems in the network.
Likely Case
Privileged authenticated attacker executes commands with web server user privileges, potentially accessing monitoring data, configuration files, or establishing persistence.
If Mitigated
Attack limited to authenticated high-privilege users only, with network segmentation preventing lateral movement and command execution restricted by SELinux/AppArmor.
🎯 Exploit Status
Exploitation requires authenticated high-privilege access but command injection is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 25.10.2, 24.10.15, or 24.04.19
Vendor Advisory: https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-5965-centreon-web-high-severity-5362
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Update Centreon to patched version using official repositories. 3. Restart Centreon services. 4. Verify update completed successfully.
🔧 Temporary Workarounds
Restrict Backup Module Access
linuxTemporarily remove or restrict access to backup configuration module for non-essential administrators.
# Modify Centreon ACLs to restrict backup module access
# Review and adjust user roles in Centreon administration
Implement Input Validation Proxy
linuxDeploy WAF or reverse proxy with command injection rules to filter malicious backup parameter inputs.
# Configure ModSecurity or similar WAF with OS command injection rules
# Set up nginx/apache reverse proxy with input validation
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Centreon server from critical systems
- Enforce least privilege access controls and monitor all high-privilege user activities
🔍 How to Verify
Check if Vulnerable:
Check Centreon version via web interface or command line, verify if version falls within affected ranges.Check Version:
rpm -qa | grep centreon-web or dpkg -l | grep centreon-webVerify Fix Applied:
Confirm Centreon version is 25.10.2, 24.10.15, or 24.04.19 or higher, and test backup functionality with safe inputs.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in system logs from Centreon processes
- Multiple failed backup attempts with unusual parameters
- Suspicious processes spawned by Centreon user
Network Indicators:
- Unexpected outbound connections from Centreon server
- Anomalous traffic patterns during backup operations
SIEM Query:
process.name:sh OR process.name:bash AND parent.name:centreon AND command_line:backup