CVE-2025-8430
📋 TL;DR
This stored XSS vulnerability in Centreon Infra Monitoring allows authenticated users with elevated privileges to inject malicious scripts into the Commands Connectors configuration modules. When other users view these configurations, the scripts execute in their browsers, potentially compromising their sessions or performing unauthorized actions. The vulnerability affects multiple versions of Centreon Infra Monitoring across different release branches.
💻 Affected Systems
- Centreon Infra Monitoring
📦 What is this software?
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Privileged attackers could steal administrator credentials, create backdoor accounts, modify monitoring configurations to hide malicious activity, or pivot to other systems in the network.
Likely Case
Privileged insiders or compromised accounts could perform session hijacking, data theft, or limited privilege escalation within the Centreon application.
If Mitigated
With proper access controls and input validation, impact is limited to isolated session compromise for users viewing malicious configurations.
🎯 Exploit Status
Exploitation requires privileged access to the Centreon interface. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.10.13, 24.04.18, 23.10.28
Vendor Advisory: https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-8430-centreon-web-all-versions-medium-severity-5118
Restart Required: No
Instructions:
1. Backup your Centreon configuration and database. 2. Update to the patched version using your package manager (yum update centreon-web or apt-get upgrade centreon-web). 3. Verify the update completed successfully. 4. Clear browser caches for all users.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation and output encoding for Commands Connectors configuration fields
# Requires custom development - implement proper HTML encoding for all user inputs in Commands Connectors modules
Privilege Reduction
allTemporarily reduce privileges for users who don't need access to Commands Connectors configuration
# Use Centreon ACLs to restrict access to Commands Connectors modules to only essential administrators
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Enable audit logging for all Commands Connectors configuration changes and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check your Centreon version via the web interface (Administration > About) or command line: rpm -qa | grep centreon-webCheck Version:
rpm -qa | grep centreon-web # For RPM-based systems
apt list --installed | grep centreon-web # For Debian-based systemsVerify Fix Applied:
Verify version is 24.10.13, 24.04.18, or 23.10.28 or higher. Test input fields in Commands Connectors configuration for proper HTML encoding.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to Commands Connectors configuration
- Multiple failed login attempts followed by successful privileged access
- Suspicious JavaScript payloads in configuration change logs
Network Indicators:
- Unexpected outbound connections from Centreon server after configuration changes
- Traffic patterns suggesting data exfiltration
SIEM Query:
source="centreon.log" AND ("Commands Connectors" OR "configuration modified") AND ("script" OR "javascript:" OR "onerror=" OR "onload=")