CVE-2025-6791
📋 TL;DR
This SQL injection vulnerability in Centreon web's monitoring event logs module allows attackers to manipulate HTTP requests to inject malicious SQL payloads into the database. It affects all Centreon web versions 23.10.0, 24.04.0, and 24.10.0. Organizations using these versions for IT infrastructure monitoring are at risk.
💻 Affected Systems
- Centreon Web
📦 What is this software?
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, privilege escalation, and potential remote code execution on the underlying server.
Likely Case
Unauthorized database access, data exfiltration of monitoring information, and potential system compromise.
If Mitigated
Limited impact with proper input validation and database permissions, though SQL injection attempts would still be logged.
🎯 Exploit Status
SQL injection vulnerabilities typically have low exploitation complexity. Authentication is required to access the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check latest releases on GitHub for patched versions
Vendor Advisory: https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-6791-centreon-web-all-versions-high-severity-4900
Restart Required: Yes
Instructions:
1. Backup your Centreon installation and database. 2. Update to the latest patched version from the official GitHub releases. 3. Restart Centreon services. 4. Verify the fix by testing the monitoring event logs functionality.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation for the monitoring event logs endpoint parameters
Not applicable - requires code modification
Web Application Firewall Rules
allDeploy WAF rules to block SQL injection patterns targeting the event logs endpoint
WAF-specific configuration commands
🧯 If You Can't Patch
- Restrict network access to Centreon web interface to trusted IP addresses only
- Implement database-level controls: use least privilege accounts, enable query logging, and review database permissions
🔍 How to Verify
Check if Vulnerable:
Check Centreon web version via web interface or configuration files. If running 23.10.0, 24.04.0, or 24.10.0, you are vulnerable.Check Version:
grep 'version' /etc/centreon/centreon.conf.php or check via Centreon web interfaceVerify Fix Applied:
After patching, test the monitoring event logs functionality and verify no SQL errors occur with various inputs. Check that version number has been updated.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by event log access
- HTTP requests with SQL keywords to event logs endpoint
Network Indicators:
- Unusual database connection patterns from web server
- HTTP POST requests containing SQL syntax to event logs API
SIEM Query:
source="centreon_web" AND (url="*event*log*" AND (param="*SELECT*" OR param="*UNION*" OR param="*OR*"))