CVE-2025-15026

CRITICAL
2026-01-05 bd4443e6-1eef-43f3-9886-25fc9ceeaae7
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch Released
Jan 26, 2026 - 15:30 nvd
Patch available
CVE Published
Jan 05, 2026 - 15:15 nvd
CRITICAL 9.8

Tags

Authentication Bypass Awie

Description

Missing Authentication for Critical Function vulnerability in Centreon Infra Monitoring centreon-awie (Awie import module) allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3.

Analysis

Centreon Infra Monitoring's centreon-awie module lacks authentication on critical import functions, allowing unauthenticated attackers to access functionality that should be restricted by ACLs. Affects multiple Centreon versions. Patch available.

Technical Context

The centreon-awie module (used for configuration import/export) does not require authentication for critical functions (CWE-306). An attacker can access import functionality to inject malicious monitoring configurations, potentially gaining code execution through check commands or notification scripts.

Affected Products

Centreon Infra Monitoring 25.10.0–25.10.1, 24.10.0–24.10.2, 24.04.0–24.04.2

Remediation

Update to Centreon 25.10.2, 24.10.3, or 24.04.3. Restrict network access to the AWIE module. Review imported configurations for unauthorized changes.

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +49
POC: 0

Share

CVE-2025-15026 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy