A high-severity SQL Injection vulnerability has been discovered in multiple Centreon Infra products, specifically within the Open-tickets module. An attacker who has already gained elevated privileges on the system can exploit this flaw to execute unauthorized commands on the underlying database, potentially leading to data theft, modification, or service disruption. Organizations are urged to apply vendor-supplied patches immediately to mitigate the risk of data compromise.

The vulnerability is an Improper Neutralization of Special Elements used in an SQL Command, commonly known as SQL Injection. It exists within the configuration parameters of notification rules and the Open-tickets module. An authenticated attacker with elevated privileges can inject malicious SQL queries by manipulating input fields. Successful exploitation allows the attacker to bypass application-level security and interact directly with the database to read, update, delete, or exfiltrate sensitive monitoring data and system configurations.

This vulnerability is rated as High severity with a CVSS score of 7.2. Exploitation could have a significant business impact, including the compromise of sensitive infrastructure and performance data, which could be leveraged for further attacks. The potential consequences include loss of data confidentiality, as an attacker could exfiltrate host configurations and credentials; loss of integrity, as monitoring data could be altered to hide malicious activity; and loss of availability if the database is corrupted or deleted, disrupting critical monitoring and alerting functions for the entire IT environment.

Immediate Action: The primary remediation is to apply the security patches provided by Centreon as soon as possible. In addition, organizations should conduct a review of database access controls to ensure the Centreon application is operating with the principle of least privilege. Enabling and regularly reviewing detailed database query logs can also help in detecting and responding to potential exploitation attempts.

Proactive Monitoring: Security teams should monitor for unusual or malformed SQL queries originating from the Centreon application server, particularly targeting tables related to the Open-tickets and notification modules. Monitor Centreon application logs for anomalous activity from privileged user accounts, such as unexpected changes to notification rule configurations.

Compensating Controls: If immediate patching is not feasible, organizations should implement compensating controls. This includes deploying a Web Application Firewall (WAF) with rulesets designed to detect and block SQL injection attack patterns. Restricting network access to the Centreon management interface to only trusted administrative subnets and enforcing multi-factor authentication (MFA) for all privileged accounts can further reduce the attack surface.

Public Exploit Available: false

Given the high severity (CVSS 7.2) and the critical role of Centreon in infrastructure monitoring, it is strongly recommended that organizations prioritize the deployment of the vendor-provided patch to all affected systems. Although this vulnerability is not currently listed on the CISA KEV list, its potential impact on data confidentiality and integrity warrants immediate attention. Until patches are fully deployed, organizations must implement the recommended compensating controls and proactive monitoring to reduce the risk of exploitation.