Centreon Open Tickets Hit by Critical CVSS 9.9 Path Traversal Flaw

Centreon has disclosed a critical path traversal vulnerability in its Open Tickets module that could allow authenticated attackers to write or delete arbitrary files on affected systems. Tracked as CVE-2026-2749, the flaw carries a CVSS score of 9.9—just 0.1 points shy of the maximum severity rating.

The vulnerability affects the Open Tickets file upload functionality on Centreon Central Server, a widely deployed IT infrastructure monitoring platform used by enterprises to track network devices, servers, and applications.

What Makes This Vulnerability Critical

A CVSS score of 9.9 indicates the worst-case scenario for exploitation potential. According to Centreon's security bulletin, the flaw requires authentication but allows attackers to escape intended directory constraints during file operations. Once exploited, an attacker can write malicious files to arbitrary locations on the server—potentially overwriting configuration files, deploying webshells, or disrupting monitoring operations entirely.

The path traversal primitive also enables file deletion, which could be weaponized to:

• Remove critical system configurations
• Disable security controls or logging
• Corrupt the monitoring database itself
• Create conditions for further exploitation

Security researchers at Hakaiï Security, specifically researcher Texugo, discovered and reported the vulnerability. While Centreon hasn't released technical details about the exact input vector, path traversal vulnerabilities typically exploit insufficient sanitization of file path components in upload handlers—allowing sequences like ../ to escape intended directories.

Affected Versions and Patches

The vulnerability impacts all versions of Centreon Open Tickets prior to the fixed releases:

Branch	Vulnerable Versions	Fixed Version
25.10	All before 25.10.3	25.10.3
24.10	All before 24.10.8	24.10.8
24.04	All before 24.04.7	24.04.7

Organizations running earlier, unsupported branches should treat this as a forcing function for upgrades. Path traversal vulnerabilities in authenticated contexts are commonly chained with credential theft or session hijacking to achieve full system compromise.

Why IT Monitoring Platforms Make Attractive Targets

Centreon sits at a privileged position in enterprise networks. Monitoring platforms by design have network visibility into every system they track, often holding credentials for SNMP, SSH, or API access to managed devices. Compromising the monitoring infrastructure gives attackers a ready-made map of the environment and potential pivot points to high-value targets.

This isn't theoretical. We've seen similar attacks against SolarWinds infrastructure where attackers leveraged monitoring platform access to move laterally through networks. The pattern repeats: monitoring systems aggregate the information and access that make lateral movement trivial.

Immediate Actions

1. Identify exposure — Inventory Centreon Open Tickets deployments and verify current version numbers
2. Apply patches — Upgrade to 25.10.3, 24.10.8, or 24.04.7 depending on your release branch
3. Audit file system — Check for unexpected files in web-accessible directories, particularly webshells or modified configurations
4. Review authentication logs — Look for anomalous login activity from the Open Tickets module
5. Restrict network access — Ensure Centreon interfaces aren't exposed to untrusted networks

No proof-of-concept exploit code has been published, but the CVSS 9.9 rating and straightforward vulnerability class suggest exploitation is well within reach for capable attackers. The patch-to-exploit window for critical vulnerabilities continues shrinking—organizations should prioritize remediation within days, not weeks.

The Broader Monitoring Platform Risk

Centreon joins a growing list of IT monitoring and management platforms facing serious security scrutiny. Similar critical vulnerabilities have recently affected Cisco's network management tools, Cisco Snort3's packet inspection engine, and workflow automation platforms like n8n. The common thread: platforms designed for operational visibility often lack the defensive hardening their privileged network position demands.

For security teams managing monitoring infrastructure, this disclosure is a reminder to treat these systems with the same rigor applied to domain controllers or authentication servers. Their compromise yields comparable impact.