cbcvebase.
CVE-2025-5946
published 2025-10-14

CVE-2025-5946: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Centreon Infra Monitoring (Poller reload setup in…

PriorityP265high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
13.84%
96.1th percentile
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Centreon Infra Monitoring (Poller reload setup in the configuration modules) allows OS Command Injection. On the poller parameters page, a user with high privilege is able to concatenate custom instructions into the poller reload command. This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28.

Affected

6 ranges
VendorProductVersion rangeFixed in
centreoncentreon_web>= 23.10.0 < 23.10.2823.10.28
centreoncentreon_web>= 24.04.0 < 24.04.1824.04.18
centreoncentreon_web>= 24.10.0 < 24.10.1324.10.13
centreoninfra_monitoring>= 23.10.0 < 23.10.2823.10.28
centreoninfra_monitoring>= 24.04.0 < 24.04.1824.04.18
centreoninfra_monitoring>= 24.10.0 < 24.10.1324.10.13

Detection & IOCsextracted from sources · hover to see the quote

url/centreon/main.get.php?p=
otherbroker_reload_command=
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Centreon broker_reload_command Parameter Command Injection Attempt (CVE-2025-5946)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:25; content:"/centreon/main.get.php?p="; fast_pattern; http.request_body; content:"broker_reload_command|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,attackerkb.com/topics/23D4cUoBZj/cve-2025-5946; reference:cve,2025-5946; classtype:attempted-admin; sid:2065721; rev:1;)
  • Look for HTTP POST requests to /centreon/main.get.php?p= (URI length exactly 25 bytes) containing 'broker_reload_command=' in the request body followed by shell metacharacters: semicolon (;/%3B), newline (%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
  • A public Metasploit module exists for this CVE (centreon_auth_rce_cve_2025_5946.rb); monitor for exploitation attempts from authenticated admin sessions against the Centreon web UI.
  • ·Exploitation requires a high-privilege (admin) authenticated session in the Centreon web application; unauthenticated exploitation is not possible.
  • ·The Snort/Suricata rule (ET sid:2065721) is scoped to plaintext (non-TLS) traffic only; if Centreon is deployed behind HTTPS, this rule will not fire without TLS inspection.
  • ·Affected versions span a wide range (>= 19.10.0 per Metasploit module, NVD scopes from 23.10.0/24.04.0/24.10.0); ensure version checks cover all branches in scope.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.