CVE-2025-5946 is an OS command injection vulnerability classified under CWE-78, discovered in Centreon Infra Monitoring's poller reload configuration modules. The flaw exists because the application fails to properly sanitize or neutralize special characters in user-supplied input used in OS command execution. Specifically, a user with high privileges can append arbitrary commands to the poller reload command on the poller parameters page. This injection enables execution of arbitrary OS commands with the privileges of the Centreon service, potentially leading to full system compromise. Affected versions include 23.10.0 before 23.10.28, 24.04.0 before 24.04.18, and 24.10.0 before 24.10.13. The vulnerability does not require user interaction but does require authenticated high-privilege access, limiting exploitation to insiders or compromised accounts. The CVSS v3.1 score of 7.2 indicates a high severity, with network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability. No public exploits are currently known, but the vulnerability poses a significant risk due to the critical nature of monitoring infrastructure and the potential for lateral movement or persistent compromise.

For European organizations, this vulnerability threatens the security of critical IT infrastructure monitoring systems. Successful exploitation can lead to unauthorized command execution, enabling attackers to manipulate monitoring data, disable alerts, or pivot to other internal systems. This compromises operational integrity and availability of monitoring services, potentially delaying detection of other attacks or system failures. Confidential data accessible via the monitoring system could be exposed or altered. Given Centreon's widespread use in enterprise and government sectors across Europe, especially in industries reliant on continuous infrastructure monitoring (e.g., energy, finance, telecommunications), the impact could be severe. Disruption or manipulation of monitoring systems can have cascading effects on incident response and business continuity. The requirement for high privileges limits exploitation to insiders or attackers who have already gained elevated access, but this does not diminish the criticality given the potential damage. The absence of known exploits provides a window for proactive mitigation before active attacks emerge.

1. Apply official patches from Centreon as soon as they become available for affected versions (23.10.x, 24.04.x, 24.10.x). 2. Restrict access to the poller parameters page strictly to trusted administrators using role-based access controls and network segmentation. 3. Implement multi-factor authentication (MFA) for all high-privilege accounts to reduce risk of credential compromise. 4. Monitor logs and command execution traces for unusual or unauthorized commands related to poller reload operations. 5. Conduct regular audits of user privileges and remove unnecessary high-level access. 6. Employ application-layer input validation and sanitization controls where possible to detect or block injection attempts. 7. Consider deploying host-based intrusion detection systems (HIDS) to alert on suspicious OS command executions. 8. Educate administrators about the risks of command injection and the importance of secure configuration management. 9. Maintain up-to-date backups of monitoring configurations and system states to enable recovery in case of compromise. 10. Coordinate with Centreon support and security advisories for updates and best practices.