CVE-2025-8459
📋 TL;DR
This stored XSS vulnerability in Centreon Infra Monitoring allows attackers to inject malicious scripts into web pages through the recurrent downtime scheduler modules. When users view affected pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. Affected users are those running Centreon Infra Monitoring versions 24.10.0-24.10.12, 24.04.0-24.04.17, or 23.10.0-23.10.27.
💻 Affected Systems
- Centreon Infra Monitoring
📦 What is this software?
Centreon Web by Centreon
Centreon Web by Centreon
Centreon Web by Centreon
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, compromise monitoring data integrity, pivot to internal systems, or establish persistent backdoors in the monitoring infrastructure.
Likely Case
Attackers steal session cookies or authentication tokens to gain unauthorized access to the Centreon interface, potentially modifying monitoring configurations or accessing sensitive infrastructure data.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before reaching users' browsers, preventing execution.
🎯 Exploit Status
Requires authenticated access to the Centreon interface. Stored XSS means payload persists and affects multiple users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.10.13, 24.04.18, or 23.10.28
Vendor Advisory: https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-8459-centreon-web-all-versions-high-severity-5117
Restart Required: Yes
Instructions:
1. Backup your Centreon configuration and database. 2. Update to the patched version using your package manager (yum update centreon or apt-get upgrade centreon). 3. Restart Centreon services: systemctl restart centreon centreon-gorgoned centreon-central. 4. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation Enhancement
linuxImplement additional input validation for the recurrent downtime scheduler fields to reject suspicious characters.
# Requires modifying Centreon source code - not recommended for production
Output Encoding
linuxEnsure all user-controlled data displayed in the web interface is properly HTML-encoded.
# Requires modifying Centreon source code - not recommended for production
🧯 If You Can't Patch
- Restrict access to the Centreon web interface using network segmentation and firewall rules
- Implement Content Security Policy (CSP) headers to mitigate XSS impact
🔍 How to Verify
Check if Vulnerable:
Check Centreon version: rpm -qa | grep centreon-web or dpkg -l | grep centreon-web. If version is between affected ranges, system is vulnerable.Check Version:
rpm -qa | grep centreon-web || dpkg -l | grep centreon-webVerify Fix Applied:
After patching, verify version shows 24.10.13, 24.04.18, or 23.10.28 or higher. Test the recurrent downtime scheduler functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to downtime scheduler endpoints
- Suspicious JavaScript payloads in web server logs
- Multiple failed login attempts followed by successful access
Network Indicators:
- Unusual outbound connections from Centreon server
- Traffic patterns suggesting data exfiltration
SIEM Query:
source="centreon-web.log" AND ("downtime" OR "scheduler") AND ("script" OR "javascript" OR "onerror" OR "onload")