CVE-2025-58156 is a security vulnerability classified under CWE-285 (Improper Authorization) affecting the Centurion ERP software developed by nofusscomputing. Centurion ERP is an enterprise resource planning system with a focus on IT service management (ITSM) and automation. The vulnerability exists in versions from 1.12.0 up to but not including 1.21.0. It allows an authenticated user with limited privileges to view all authentication token details stored in the database. While the actual tokens are stored as hashes and not in plaintext, the exposure of hashed tokens still represents a risk because it could potentially aid attackers in offline brute-force or cryptanalysis attacks to recover tokens or facilitate token replay attacks. The vulnerability does not expose un-hashed tokens, and no direct token theft is possible without further exploitation. The issue has been addressed and patched in version 1.21.0 of Centurion ERP. Due to the nature of the vulnerability, no viable workaround exists other than disabling token authentication, which is impractical. The recommended remediation is to upgrade to version 1.21.0 or later and to remove all authentication tokens created by the affected versions from the database to prevent misuse. The CVSS v3.1 base score is 1.9, indicating a low severity, reflecting the limited confidentiality impact, the requirement for authenticated access, and the need for user interaction to exploit the vulnerability. There are no known exploits in the wild at this time.

For European organizations using Centurion ERP versions between 1.12.0 and 1.20.x, this vulnerability could lead to unauthorized disclosure of hashed authentication tokens to any authenticated user, potentially including lower-privileged users or insiders. Although the tokens are hashed, exposure increases the risk of token compromise through offline attacks, which could lead to unauthorized access if tokens are weak or hashing is insufficiently robust. This could undermine the confidentiality of the authentication mechanism and potentially allow lateral movement or privilege escalation within the ERP system. Given the ERP's role in ITSM and automation, unauthorized access could disrupt business processes, expose sensitive operational data, or allow manipulation of automated workflows. However, the impact is mitigated by the requirement for authenticated access and the absence of direct token plaintext exposure. European organizations with strict data protection regulations (e.g., GDPR) must consider the risk of insider threats and ensure timely patching to avoid compliance issues related to unauthorized data access.

1. Upgrade Centurion ERP installations to version 1.21.0 or later immediately to apply the official patch addressing this vulnerability. 2. After upgrading, remove all existing authentication tokens from the database to invalidate any potentially compromised tokens created under the affected versions. This can be done by executing database commands or using administrative tools provided by Centurion ERP to purge tokens. 3. Enforce strong token generation policies and ensure that token hashes use strong cryptographic hashing algorithms with salts to reduce the risk of offline attacks. 4. Implement strict access controls and monitoring to detect any unusual access patterns or attempts to enumerate authentication tokens. 5. Conduct regular audits of user privileges to minimize the number of users with authenticated access, limiting exposure. 6. Educate users and administrators about the importance of timely patching and token management to prevent exploitation. 7. If feasible, consider multi-factor authentication (MFA) integration to reduce the risk of token misuse even if tokens are compromised.