CVE-2025-5946
published 2025-10-14CVE-2025-5946: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Centreon Infra Monitoring (Poller reload setup in…
PriorityP265high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
13.84%
96.1th percentile
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Centreon Infra Monitoring (Poller reload setup in the configuration modules) allows OS Command Injection.
On the poller parameters page, a user with high privilege is able to concatenate custom instructions into the poller reload command.
This issue affects Infra Monitoring: from 24.10.0 before 24.10.13, from 24.04.0 before 24.04.18, from 23.10.0 before 23.10.28.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| centreon | centreon_web | >= 23.10.0 < 23.10.28 | 23.10.28 |
| centreon | centreon_web | >= 24.04.0 < 24.04.18 | 24.04.18 |
| centreon | centreon_web | >= 24.10.0 < 24.10.13 | 24.10.13 |
| centreon | infra_monitoring | >= 23.10.0 < 23.10.28 | 23.10.28 |
| centreon | infra_monitoring | >= 24.04.0 < 24.04.18 | 24.04.18 |
| centreon | infra_monitoring | >= 24.10.0 < 24.10.13 | 24.10.13 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Centreon broker_reload_command Parameter Command Injection Attempt (CVE-2025-5946)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:25; content:"/centreon/main.get.php?p="; fast_pattern; http.request_body; content:"broker_reload_command|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,attackerkb.com/topics/23D4cUoBZj/cve-2025-5946; reference:cve,2025-5946; classtype:attempted-admin; sid:2065721; rev:1;)
- →Look for HTTP POST requests to /centreon/main.get.php?p= (URI length exactly 25 bytes) containing 'broker_reload_command=' in the request body followed by shell metacharacters: semicolon (;/%3B), newline (%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
- →A public Metasploit module exists for this CVE (centreon_auth_rce_cve_2025_5946.rb); monitor for exploitation attempts from authenticated admin sessions against the Centreon web UI. ↗
- ·Exploitation requires a high-privilege (admin) authenticated session in the Centreon web application; unauthenticated exploitation is not possible. ↗
- ·The Snort/Suricata rule (ET sid:2065721) is scoped to plaintext (non-TLS) traffic only; if Centreon is deployed behind HTTPS, this rule will not fire without TLS inspection.
- ·Affected versions span a wide range (>= 19.10.0 per Metasploit module, NVD scopes from 23.10.0/24.04.0/24.10.0); ensure version checks cover all branches in scope. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Centreon broker_reload_command Parameter Command Injection Attempt (CVE-2025-5946)
suricata·2025-11-11·CVSS 7.2
CVE-2025-5946 [HIGH] ET WEB_SPECIFIC_APPS Centreon broker_reload_command Parameter Command Injection Attempt (CVE-2025-5946)
ET WEB_SPECIFIC_APPS Centreon broker_reload_command Parameter Command Injection Attempt (CVE-2025-5946)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Centreon broker_reload_command Parameter Command Injection Attempt (CVE-2025-5946)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:25; content:"/centreon/main.get.php?p="; fast_pattern; http.request_body; content:"broker_reload_command|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,attackerkb.com/topics/23D4cUoBZj/cve-2025-5946; reference:cve,2025-5946; classtype:attempted-admin; sid:2065721; rev:1; metadata:affected_product Centreon, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_11_11, cve CVE
No writeups or analysis indexed.
2025-10-14
Published