Awie
CVE-2025-15029
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon Infra Monitoring (Awie export modules) allows SQL Injection to unauthenticated user.
This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3.
AnalysisAI
Centreon Infra Monitoring's AWIE export module contains SQL injection accessible to unauthenticated users. Combined with CVE-2025-15026 (missing auth on import), the AWIE module has both unauthenticated data extraction and unauthorized configuration access. Patch available.
Technical ContextAI
The AWIE (Application Web Import/Export) module fails to parameterize user input in SQL queries within the export functionality (CWE-89). Since the module also lacks authentication (CVE-2025-15026), the SQL injection is reachable without any credentials. Centreon databases contain SNMP communities, host credentials, and monitoring configurations.
RemediationAI
Update to Centreon 25.10.2, 24.10.3, or 24.04.3. Restrict AWIE module access to management networks.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today