CVE-2025-8429
📋 TL;DR
This stored XSS vulnerability in Centreon Infra Monitoring allows authenticated users with elevated privileges to inject malicious scripts into ACL Action access configuration modules. When other users view these pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. Affected versions include 24.10.0-24.10.12, 24.04.0-24.04.17, and 23.10.0-23.10.27.
💻 Affected Systems
- Centreon Infra Monitoring
📦 What is this software?
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Privileged attacker steals administrator credentials, gains full system control, and pivots to other systems in the network.
Likely Case
Malicious insider or compromised privileged account steals session cookies, escalates privileges, or performs unauthorized configuration changes.
If Mitigated
Limited to data theft from users who view the malicious configuration pages, with no direct system compromise.
🎯 Exploit Status
Requires authenticated user with elevated privileges in ACL Action configuration. Exploitation involves injecting scripts into configuration fields that persist and execute when viewed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.10.13, 24.04.18, 23.10.28
Vendor Advisory: https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-8429-centreon-web-all-versions-medium-severity-5119
Restart Required: No
Instructions:
1. Backup your Centreon configuration and database. 2. Update to patched version via package manager (yum update centreon-web or apt upgrade centreon-web). 3. Verify update completed successfully. 4. Clear browser caches and test ACL Action configuration functionality.
🔧 Temporary Workarounds
Restrict ACL Action Configuration Access
allTemporarily remove ACL Action configuration privileges from non-essential users until patching.
# Review and modify user roles in Centreon Administration > ACL > Actions
Input Validation Enhancement
allImplement additional input sanitization for ACL Action configuration fields via custom validation rules.
# Add custom validation in Centreon configuration files for ACL Action input fields
🧯 If You Can't Patch
- Implement strict least-privilege access control for ACL Action configuration modules
- Deploy WAF with XSS protection rules specifically for Centreon paths
🔍 How to Verify
Check if Vulnerable:
Check Centreon version via web interface (Administration > About) or command: rpm -qa | grep centreon-webCheck Version:
rpm -qa | grep centreon-web # or dpkg -l | grep centreon-webVerify Fix Applied:
Confirm version is 24.10.13, 24.04.18, or 23.10.28 or higher. Test ACL Action configuration fields for script injection attempts.📡 Detection & Monitoring
Log Indicators:
- Unusual ACL Action configuration modifications
- Multiple failed login attempts followed by ACL configuration changes
- Suspicious strings in Centreon web logs containing script tags
Network Indicators:
- Unexpected outbound connections from Centreon server after ACL configuration changes
SIEM Query:
source="centreon.log" AND ("ACL Action" OR "configuration modified") AND ("script" OR "javascript:" OR "onload=")