CVE-2025-3872: 
Centreon vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2025-3872) was discovered in Centreon centreon-web's User configuration form modules. The vulnerability allows users with high privileges to escalate their privileges to administrator level by intercepting and modifying contact form request payloads. This vulnerability affects multiple versions of Centreon: versions 22.10.0 through 22.10.28, 23.04.0 through 23.04.25, 23.10.0 through 23.10.20, 24.04.0 through 24.04.10, and 24.10.0 through 24.10.4 (NVD).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. It has been assigned a CVSS v3.1 base score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability requires high privileges but no user interaction, and can be exploited over the network (NVD).

If exploited, this vulnerability allows privileged users to elevate their access rights to administrator level, potentially gaining complete control over the Centreon system. This could lead to unauthorized access to sensitive information and system configurations (NVD).

Centreon has released fixes for all affected versions. Users are recommended to update to the following patched versions: Centreon Web 24.10.4, Centreon Web 24.04.10, Centreon Web 23.10.20, or Centreon Web 23.04.25. These versions include cumulative fixes from prior updates (Centreon Github).