Home · Briefs · CTI Daily Brief — 2026-05-13
CERTFR-2026-AVI-0572 — Centreon Infra Monitoring: RCE / SQLi / XSS cluster (April 2026 bulletin)
From CTI Daily Brief — 2026-05-13 · published 2026-05-13
CERT-FR's CERTFR-2026-AVI-0572 (2026-05-12) consolidates the April 2026 monthly security bulletin for Centreon Infra Monitoring — the enterprise monitoring platform widely deployed in French and EU public-sector NOCs and government ISPs (CERT-FR CERTFR-2026-AVI-0572, 2026-05-12; Centreon security bulletin, 2026-05-12). The bulletin lists command injection (effectively RCE in Centreon MBI), SQL injection, and XSS (Centreon Map, CVSS 6.8) findings spread across Centreon Anomaly Detection, Auto Discovery, AWIE, BAM, DSM, License Manager, MAP, MBI and Open Tickets — affecting 24.04.x (MBI only), 24.10.x and 25.10.x branches. Per-CVE identifiers are enumerated in the Centreon bulletin rather than the CERT-FR advisory. No ITW reported. The defender-relevant property is that Centreon stores privileged monitored-host credentials (SNMP communities, SSH private keys, vendor-API tokens) — compromise of a Centreon instance is a high-impact lateral-movement enabler against the entire monitored estate. Detection concepts: monitor Centreon front-end access logs for the listed component endpoints from non-NOC source networks; alert on Centreon process spawning child shells outside scheduled poller intervals. Hardening: apply the April 2026 monthly update; segment Centreon's monitoring VLAN from user / internet networks; treat Centreon credentials-vault contents as Tier-0 in the AD admin-tiering model.
CVE Summary Table
| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-44277 | Fortinet FortiAuthenticator 6.5.x / 6.6.x / 8.0.x | 9.1 | n/a | No | No | 6.5.7 / 6.6.9 / 8.0.3 | PSIRT |
| CVE-2026-26083 | Fortinet FortiSandbox 4.4.x / 5.0.x / PaaS / Cloud | 9.1 | n/a | No | No | 4.4.9 / 5.0.2 / Cloud 5.0.6; Cloud 23/24 migrate | PSIRT |
| CVE-2026-45185 | Exim 4.97–4.99.2 (GnuTLS builds) | 9.8 | 0.0 | No | No | Exim 4.99.3 | XBOW |
| CVE-2026-41089 | Windows Netlogon (all supported Windows Server) | 9.8 | n/a | No | No | May 2026 CU | Tenable |
| CVE-2026-41096 | Windows DNS Client (dnsapi.dll) |
9.8 | n/a | No | No | May 2026 CU | Tenable |
| CVE-2026-41103 | Microsoft SSO Plugin for Jira/Confluence | 9.1 | n/a | No | No (More Likely) | Plugin update 2026-05-12 | Tenable |
| CVE-2026-42898 | Microsoft Dynamics 365 On-Premises | 9.9 | n/a | No | No | May 2026 CU | ZDI |
| CVE-2026-40361 | Microsoft Word (Preview Pane) | 8.4 | n/a | No | No (More Likely) | Office 2026-05-12 | Tenable |
| CVE-2026-40364 | Microsoft Word (Preview Pane) | 8.4 | n/a | No | No (More Likely) | Office 2026-05-12 | Tenable |
| CVE-2026-34263 | SAP Commerce Cloud HY_COM 2205 / COM_CLOUD 2211 | 9.6 | n/a | No | No | SAP Note 3733064 | Onapsis |
| CVE-2026-34260 | SAP S/4HANA SAP_BASIS 751–758 / 816 | 9.6 | n/a | No | No | SAP Note (May 2026 patch day) | Onapsis |
Vendor PSIRT pages (re-fetched at verification time) consistently publish CVSS 9.1 for both FortiAuthenticator CVE-2026-44277 and FortiSandbox CVE-2026-26083; early NCSC-CH / NVD reports cited 9.8 for one or both before convergence. § 7 documents the source discrepancy.