CVE-2025-5946 Overview
CVE-2025-5946 is an OS command injection vulnerability in Centreon Infra Monitoring, specifically within the poller reload setup of the configuration modules. A high-privileged user can concatenate arbitrary instructions into the poller reload command executed by the server. The flaw is categorized under [CWE-78] for improper neutralization of special elements used in an OS command.
The vulnerability affects Centreon Web across multiple release branches: 24.10.0 before 24.10.13, 24.04.0 before 24.04.18, and 23.10.0 before 23.10.28. Successful exploitation yields execution under the privileges of the Centreon web service account.
Critical Impact
An authenticated administrator can inject operating system commands through the poller parameters page, achieving arbitrary command execution on the Centreon server.
Affected Products
- Centreon Infra Monitoring (centreon_web) 24.10.0 before 24.10.13
- Centreon Infra Monitoring (centreon_web) 24.04.0 before 24.04.18
- Centreon Infra Monitoring (centreon_web) 23.10.0 before 23.10.28
Discovery Timeline
- 2025-10-14 - CVE-2025-5946 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-5946
Vulnerability Analysis
The defect resides in the poller reload setup feature of the Centreon Web configuration modules. The application accepts user-controlled input from the poller parameters page and concatenates that input directly into a shell command that reloads the poller. Because the input is not neutralized before being passed to the OS command interpreter, an attacker controlling the field can append shell metacharacters and inject additional commands.
Exploitation requires high privileges on the Centreon interface, which limits the attack surface to authorized administrative users or to accounts captured through credential theft, session hijacking, or chained vulnerabilities. The forecasted exploitation likelihood is elevated for an authenticated flaw, reflecting interest from operators who already maintain footholds inside monitoring infrastructure.
Successful injection executes commands in the context of the Centreon backend process, which typically runs with privileges sufficient to read configuration files, access stored monitoring credentials, and interact with managed hosts through pollers.
Root Cause
The root cause is improper neutralization of shell metacharacters in input passed to the poller reload command. The application builds the command string through concatenation rather than using safe parameterized execution interfaces or strict allow-list validation. Characters such as ;, &&, |, and backticks are not stripped or escaped before the command is handed to the shell.
Attack Vector
The attack vector is network-based and authenticated. An adversary authenticates to the Centreon Web interface as a user with sufficient privileges to access poller configuration. The attacker then submits a crafted value on the poller parameters page containing shell separators followed by attacker-chosen commands. When the poller reload action is triggered, the injected commands run on the Centreon host.
No verified public exploit code is available for CVE-2025-5946. For technical specifics, refer to the Centreon CVE-2025-5946 Bulletin.
Detection Methods for CVE-2025-5946
Indicators of Compromise
- Unexpected child processes spawned by the Centreon web service or PHP-FPM workers, particularly shells (/bin/sh, /bin/bash) executing non-monitoring binaries.
- Audit log entries on the poller parameters page containing shell metacharacters such as ;, |, &&, $(, or backticks within poller reload fields.
- Outbound network connections from the Centreon host to unfamiliar destinations shortly after a poller reload event.
- New or modified files in web-writable directories, cron entries, or systemd units created by the Centreon service account.
Detection Strategies
- Monitor process ancestry for the Centreon web stack and alert when shell interpreters or system utilities (curl, wget, nc, python) are launched as children of the web service.
- Inspect Centreon application logs for poller configuration changes correlated with administrative sessions from atypical source addresses.
- Apply file integrity monitoring across Centreon configuration directories and the system cron and systemd paths.
Monitoring Recommendations
- Forward Centreon web access logs, audit logs, and host process telemetry to a centralized analytics platform for correlation.
- Track high-privilege account logins and configuration changes to the poller subsystem and alert on out-of-hours activity.
- Baseline normal poller reload command invocations and alert on deviations in command length or argument patterns.
How to Mitigate CVE-2025-5946
Immediate Actions Required
- Upgrade Centreon Web to a fixed release: 24.10.13, 24.04.18, or 23.10.28 or later within the respective branch.
- Audit Centreon user accounts and revoke high-privilege roles from any account that does not require poller configuration access.
- Review historical poller parameter changes and Centreon audit logs for evidence of prior injection attempts.
Patch Information
Centreon has released fixed builds across the affected branches. Review the Centreon Release Notes for upgrade artifacts and the Centreon CVE-2025-5946 Bulletin for vendor remediation guidance. Apply the patch in a maintenance window and validate poller reload functionality after upgrade.
Workarounds
- Restrict access to the Centreon Web administrative interface through network segmentation and VPN-only access until the patch is applied.
- Enforce multi-factor authentication for all Centreon administrative accounts to limit credential abuse.
- Temporarily remove poller configuration privileges from non-essential administrative roles.
# Verify the installed Centreon Web version against the fixed releases
rpm -q centreon-web || dpkg -l | grep centreon-web
# Example upgrade command (Red Hat-based)
sudo dnf update centreon-web
# Confirm the version meets the patched baseline
centreon -v
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

