PT-2025-30360 · Librenms · Librenms
Skraft9
·
Published
2025-07-21
·
Updated
2025-08-05
·
CVE-2025-54138
CVSS v3.1
7.5
High
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
LibreNMS versions 25.6.0 and below
Description
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring system. Versions 25.6.0 and below contain an architectural vulnerability in the
/ajax form.php endpoint that permits Remote File Inclusion based on user-controlled POST input. The application directly uses the type parameter to dynamically include .inc.php files from the includes/html/forms/ path without validation or allowlisting. This introduces a potential Remote Code Execution (RCE) vector if an attacker can stage a file in this include path, for example, via symlink or development misconfiguration.Recommendations
LibreNMS versions prior to 25.7.0 are affected.
- Implement strict allow listing or hardcoded routing instead of dynamically including user-supplied filenames.
- Avoid passing raw POST input into
include once. - Ensure the inclusion path is immutable and outside of attacker control.
Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Librenms