A critical vulnerability exists in the Centreon Infra Monitoring platform that allows an unauthenticated attacker to bypass access controls and execute critical functions. This flaw, located in the Awie import module, could enable a remote attacker to take full control of the monitoring system, potentially leading to data theft, service disruption, and further network compromise. Due to its high severity and the lack of required authentication, immediate remediation is strongly recommended.

The vulnerability is a Missing Authentication for a Critical Function within the centreon-awie (Awie import) module. This component fails to properly enforce authentication and authorization checks, allowing an unauthenticated remote attacker to access functionality that should be restricted to privileged users. By sending specially crafted requests to the vulnerable module's endpoints, an attacker can bypass Access Control Lists (ACLs) and perform high-privilege actions, such as importing or modifying monitoring configurations. This could be leveraged to disable security alerts, exfiltrate sensitive network data, or potentially achieve remote code execution on the server.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could grant an attacker complete administrative control over the organization's IT monitoring infrastructure. The potential consequences include the attacker disabling critical alerts to hide other malicious activity, stealing sensitive configuration data (including credentials and network topology), or using the compromised Centreon server as a pivot point to launch further attacks against the internal network. This poses a significant risk of major data breaches, extended system downtime, and a complete loss of visibility into the health and security of the IT environment.

Immediate Action: Immediately update all affected Centreon Infra Monitoring instances to a patched version (25.10.2, 24.10.3, 24.04.3, or later) as recommended by the vendor. After patching, it is crucial to monitor for any signs of post-remediation exploitation attempts and thoroughly review historical access logs for indicators of compromise prior to the update.

Proactive Monitoring:

• Monitor web server (e.g., Apache, Nginx) access logs for suspicious requests to URLs associated with the centreon-awie module, particularly from unknown or external IP addresses.
• Audit the Centreon configuration for any unauthorized or unexpected changes to hosts, services, commands, or user accounts.
• Implement alerting for any modifications to critical Centreon configuration files on the server's file system.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Restrict access to the Centreon web interface at the network level, allowing connections only from trusted IP addresses and subnets via a firewall.
• If the centreon-awie module is not essential for business operations, consider disabling it entirely.
• Deploy a Web Application Firewall (WAF) with rules designed to inspect and block malicious traffic targeting the vulnerable module's endpoints.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) of this vulnerability, we strongly recommend that organizations prioritize the immediate patching of all affected Centreon Infra Monitoring systems. The lack of an authentication requirement makes it an attractive target for automated attacks. Although this CVE is not currently listed on the CISA KEV list, its characteristics make it a prime candidate for future inclusion. If patching cannot be performed immediately, the compensating controls outlined above should be implemented as a matter of urgency to limit exposure.