CVE-2025-6791 Overview
CVE-2025-6791 is a SQL Injection vulnerability in the Centreon Web monitoring event logs module. An authenticated attacker can modify HTTP request parameters to inject a reflected payload that is stored in the backend database. The flaw stems from improper neutralization of special elements used in SQL commands [CWE-89]. Affected releases include Centreon Web versions 24.10.0, 24.04.0, and 23.10.0. The vulnerability impacts confidentiality, integrity, and availability of the monitoring platform and the data it stores.
Critical Impact
Authenticated attackers can inject arbitrary SQL through the monitoring event logs page, leading to data exfiltration, modification of stored records, and potential full compromise of the Centreon database.
Affected Products
- Centreon Web 24.10.0
- Centreon Web 24.04.0
- Centreon Web 23.10.0
Discovery Timeline
- 2025-08-22 - CVE-2025-6791 published to the National Vulnerability Database
- 2025-10-22 - Last updated in NVD database
Technical Details for CVE-2025-6791
Vulnerability Analysis
The vulnerability resides in the monitoring event logs module of Centreon Web. The application accepts user-controllable HTTP request parameters and incorporates them into SQL statements without sufficient sanitization or parameterization. Because the injected payload is written into the database, the attack pattern combines a reflected entry point with persistent storage of attacker-controlled SQL fragments.
Exploitation requires a network path to the Centreon Web interface and a low-privileged authenticated session. No user interaction is needed beyond the attacker's own request. A successful injection enables an adversary to read arbitrary tables, modify monitoring records, escalate privileges within the application, or disrupt monitoring operations that downstream incident response workflows depend on.
Root Cause
The root cause is improper neutralization of special elements used in an SQL command, classified under [CWE-89]. The event logs handler concatenates request parameters into SQL queries instead of using prepared statements with bound parameters. Input filtering applied at the controller layer fails to escape SQL metacharacters before the query is executed against the Centreon database.
Attack Vector
An authenticated user sends a crafted HTTP request to the monitoring event logs endpoint. The attacker manipulates query parameters or POST body fields that the backend uses to construct the events query. The injected SQL is executed by the database engine, and the malicious payload is also persisted in the events table, enabling repeated or chained abuse against other users and integrations that consume event log data.
No verified public exploit code is available. Refer to the Centreon Security Bulletin CVE-2025-6791 for vendor-confirmed technical details.
Detection Methods for CVE-2025-6791
Indicators of Compromise
- Unexpected SQL syntax fragments such as UNION SELECT, --, /*, or encoded equivalents appearing in HTTP request parameters to Centreon event log endpoints.
- Anomalous entries in the Centreon events database table containing SQL keywords, stacked queries, or out-of-band callback strings.
- Authenticated sessions from low-privileged Centreon accounts issuing unusually high volumes of requests to the monitoring event logs page.
Detection Strategies
- Inspect Centreon web server access logs for requests to the event logs module that include SQL metacharacters or URL-encoded variants.
- Enable database query logging on the Centreon backend and alert on queries containing concatenated user input or unusual INFORMATION_SCHEMA access.
- Deploy a web application firewall ruleset tuned for SQL injection patterns against the Centreon Web interface.
Monitoring Recommendations
- Correlate authentication events with subsequent event log queries to identify low-privilege accounts behaving like administrators.
- Track outbound network connections from the Centreon server to detect data exfiltration following suspected injection attempts.
- Baseline normal query patterns for the monitoring event logs page and alert on deviations in query length, parameter entropy, or response size.
How to Mitigate CVE-2025-6791
Immediate Actions Required
- Upgrade Centreon Web to a fixed release as listed in the vendor security bulletin.
- Restrict network access to the Centreon Web interface to trusted administrative networks and VPN endpoints.
- Audit and reduce the privileges of Centreon user accounts, removing access for users who do not require monitoring data.
- Review the events database table and authentication logs for signs of prior exploitation.
Patch Information
Centreon has published a security advisory and fixed builds. See the Centreon Security Bulletin CVE-2025-6791 and the GitHub Centreon Release Notes for the specific patched versions and upgrade procedures.
Workarounds
- Place the Centreon Web interface behind a web application firewall configured to block SQL injection patterns against the event logs endpoint.
- Temporarily disable or restrict access to the monitoring event logs page for non-administrative roles until the patch is applied.
- Enforce database-level least privilege so the Centreon application account cannot access tables outside the monitoring schema.
# Example WAF rule snippet (ModSecurity) to block SQLi patterns on the event logs endpoint
SecRule REQUEST_URI "@contains /monitoring/eventLogs" \
"id:1006791,phase:2,deny,status:403,\
chain,msg:'Potential CVE-2025-6791 SQLi attempt'"
SecRule ARGS "@rx (?i)(union(\s)+select|--|/\*|;\s*drop|information_schema)" \
"t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

