cvelistv5 - cve-2025-15026

CVE-2025-15026 (GCVE-0-2025-15026)

Vulnerability from cvelistv5

Published

2026-01-05 14:31

Modified

2026-01-08 15:42

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-306 - Missing Authentication for Critical Function

Summary

Missing Authentication for Critical Function vulnerability in Centreon Infra Monitoring centreon-awie (Awie import module) allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3.

References

URL

Tags

	https://github.com/centreon/centreon/releases	release-notes
	https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-15026-centreon-awie-critical-severity-5357	vendor-advisory

Impacted products

	Vendor	Product	Version
	Centreon	Infra Monitoring	Version: 25.10.0 < 25.10.2 Version: 24.10.0 < 24.10.3 Version: 24.04.0 < 24.04.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-15026",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-05T21:19:51.218301Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-05T21:19:59.162Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "Awie import"
          ],
          "packageName": "centreon-awie",
          "product": "Infra Monitoring",
          "vendor": "Centreon",
          "versions": [
            {
              "lessThan": "25.10.2",
              "status": "affected",
              "version": "25.10.0",
              "versionType": "custom"
            },
            {
              "lessThan": "24.10.3",
              "status": "affected",
              "version": "24.10.0",
              "versionType": "custom"
            },
            {
              "lessThan": "24.04.3",
              "status": "affected",
              "version": "24.04.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "marceloQJ"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing Authentication for Critical Function vulnerability in Centreon Infra Monitoring centreon-awie (Awie import module) allows Accessing Functionality Not Properly Constrained by ACLs.\n\n\u003cp\u003eThis issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3.\u003c/p\u003e"
            }
          ],
          "value": "Missing Authentication for Critical Function vulnerability in Centreon Infra Monitoring centreon-awie (Awie import module) allows Accessing Functionality Not Properly Constrained by ACLs.\n\nThis issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-1",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306 Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-08T15:42:06.582Z",
        "orgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
        "shortName": "Centreon"
      },
      "references": [
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://github.com/centreon/centreon/releases"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-15026-centreon-awie-critical-severity-5357"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Unauthenticated configuration import allows administrative account creation using AWIE component",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bd4443e6-1eef-43f3-9886-25fc9ceeaae7",
    "assignerShortName": "Centreon",
    "cveId": "CVE-2025-15026",
    "datePublished": "2026-01-05T14:31:34.223Z",
    "dateReserved": "2025-12-22T09:36:24.995Z",
    "dateUpdated": "2026-01-08T15:42:06.582Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CERTFR-2026-AVI-0015

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans les produits Centreon. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et une injection SQL (SQLi).

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Centreon	DSM	DSM versions 23.10.x antérieures à 23.10.5
Centreon	DSM	DSM versions 25.10.x antérieures à 25.10.1
Centreon	DSM	DSM versions 24.10.x antérieures à 24.10.4
Centreon	Web	Web versions 25.10.x antérieures à 25.10.2
Centreon	AWIE	AWIE versions 24.10.x antérieures à 24.10.3
Centreon	Web	Web versions 24.10.x antérieures à 24.10.15
Centreon	AWIE	AWIE versions 24.04.x antérieures à 24.04.3
Centreon	Web	Web versions 23.10.x antérieures à 23.10.29
Centreon	DSM	DSM versions 24.04.x antérieures à 24.04.8
Centreon	AWIE	AWIE versions 25.10.x antérieures à 25.10.2
Centreon	Web	Web versions 24.04.x antérieures à 24.04.19

References

Title

Publication Time

Tags

Bulletin de sécurité Centreon cve-2025-15026-centreon-awie-critical-severity-5357	2026-01-08	vendor-advisory
Bulletin de sécurité Centreon cve-2025-5965-centreon-web-high-severity-5362	2026-01-08	vendor-advisory
Bulletin de sécurité Centreon cve-2025-12513-centreon-web-medium-severity-5360	2026-01-08	vendor-advisory
Bulletin de sécurité Centreon cve-2025-15029-centreon-awie-critical-severity-5356	2026-01-08	vendor-advisory
Bulletin de sécurité Centreon cve-2025-12519-centreon-web-medium-severity-5359	2026-01-08	vendor-advisory
Bulletin de sécurité Centreon cve-2025-13056-centreon-web-medium-severity-5358	2026-01-08	vendor-advisory
Bulletin de sécurité Centreon cve-2025-12511-centreon-dsm-medium-severity-5361	2026-01-08	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "DSM versions 23.10.x ant\u00e9rieures \u00e0 23.10.5",
      "product": {
        "name": "DSM",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "DSM versions 25.10.x ant\u00e9rieures \u00e0 25.10.1",
      "product": {
        "name": "DSM",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "DSM versions 24.10.x ant\u00e9rieures \u00e0 24.10.4",
      "product": {
        "name": "DSM",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "Web versions 25.10.x ant\u00e9rieures \u00e0 25.10.2",
      "product": {
        "name": "Web",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "AWIE versions 24.10.x ant\u00e9rieures \u00e0 24.10.3",
      "product": {
        "name": "AWIE",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "Web versions 24.10.x ant\u00e9rieures \u00e0 24.10.15",
      "product": {
        "name": "Web",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "AWIE versions 24.04.x ant\u00e9rieures \u00e0 24.04.3",
      "product": {
        "name": "AWIE",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "Web versions 23.10.x ant\u00e9rieures \u00e0 23.10.29",
      "product": {
        "name": "Web",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "DSM versions 24.04.x ant\u00e9rieures \u00e0 24.04.8",
      "product": {
        "name": "DSM",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "AWIE versions 25.10.x ant\u00e9rieures \u00e0 25.10.2",
      "product": {
        "name": "AWIE",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    },
    {
      "description": "Web versions 24.04.x ant\u00e9rieures \u00e0 24.04.19",
      "product": {
        "name": "Web",
        "vendor": {
          "name": "Centreon",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-15026",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-15026"
    },
    {
      "name": "CVE-2025-12513",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-12513"
    },
    {
      "name": "CVE-2025-13056",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-13056"
    },
    {
      "name": "CVE-2025-5965",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-5965"
    },
    {
      "name": "CVE-2025-12519",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-12519"
    },
    {
      "name": "CVE-2025-15029",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-15029"
    },
    {
      "name": "CVE-2025-12511",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-12511"
    }
  ],
  "initial_release_date": "2026-01-08T00:00:00",
  "last_revision_date": "2026-01-08T00:00:00",
  "links": [],
  "reference": "CERTFR-2026-AVI-0015",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2026-01-08T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Injection SQL (SQLi)"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Centreon. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une injection SQL (SQLi).",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Centreon",
  "vendor_advisories": [
    {
      "published_at": "2026-01-08",
      "title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-15026-centreon-awie-critical-severity-5357",
      "url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-15026-centreon-awie-critical-severity-5357"
    },
    {
      "published_at": "2026-01-08",
      "title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-5965-centreon-web-high-severity-5362",
      "url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-5965-centreon-web-high-severity-5362"
    },
    {
      "published_at": "2026-01-08",
      "title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-12513-centreon-web-medium-severity-5360",
      "url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12513-centreon-web-medium-severity-5360"
    },
    {
      "published_at": "2026-01-08",
      "title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-15029-centreon-awie-critical-severity-5356",
      "url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-15029-centreon-awie-critical-severity-5356"
    },
    {
      "published_at": "2026-01-08",
      "title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-12519-centreon-web-medium-severity-5359",
      "url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12519-centreon-web-medium-severity-5359"
    },
    {
      "published_at": "2026-01-08",
      "title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-13056-centreon-web-medium-severity-5358",
      "url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-13056-centreon-web-medium-severity-5358"
    },
    {
      "published_at": "2026-01-08",
      "title": "Bulletin de s\u00e9curit\u00e9 Centreon cve-2025-12511-centreon-dsm-medium-severity-5361",
      "url": "https://thewatch.centreon.com/latest-security-bulletins-64/cve-2025-12511-centreon-dsm-medium-severity-5361"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-15026 (GCVE-0-2025-15026)

Vulnerability from cvelistv5

CERTFR-2026-AVI-0015

Vulnerability from certfr_avis

Solutions

Tags

Sightings

Nomenclature