CVE-2021-25931 – This CVE describes a Cross-Site Request Forgery... (How to Fix)

Q: What is the severity of CVE-2021-25931?

CVE-2021-25931 has a CVSS score of 8.8 (HIGH). This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in OpenNMS Horizon and Meridian that allows attackers to trick administrators into granting ROLE_ADMIN privileges to normal users. The vulnerability affects OpenNMS Horizon versions 1.0-stable through 27.1.0-1 and OpenNMS Meridian versions 2015.1.0-1 through 2019.1.18-1 and 2020.1.0-1 through 2020.1.6-1.

📋 TL;DR

This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in OpenNMS Horizon and Meridian that allows attackers to trick administrators into granting ROLE_ADMIN privileges to normal users. The vulnerability affects OpenNMS Horizon versions 1.0-stable through 27.1.0-1 and OpenNMS Meridian versions 2015.1.0-1 through 2019.1.18-1 and 2020.1.0-1 through 2020.1.6-1.

💻 Affected Systems

Products:

OpenNMS Horizon
OpenNMS Meridian

Versions: OpenNMS Horizon: 1.0-stable through 27.1.0-1; OpenNMS Meridian: 2015.1.0-1 through 2019.1.18-1 and 2020.1.0-1 through 2020.1.6-1

Operating Systems: All platforms running affected OpenNMS versions

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. The vulnerability requires an authenticated admin user to be tricked into clicking a malicious link.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to the OpenNMS system, enabling complete system compromise, data manipulation, and further network exploitation.

🟠

Likely Case

Attackers elevate privileges for existing user accounts, gaining administrative control over the monitoring system.

🟢

If Mitigated

Attackers cannot exploit the vulnerability due to proper CSRF protections or network segmentation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering to trick an authenticated admin user into clicking a malicious link. The technical complexity of the exploit itself is low.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenNMS Horizon 27.1.1 and later; OpenNMS Meridian 2020.1.7 and later

Vendor Advisory: https://github.com/OpenNMS/opennms/commit/607151ea8f90212a3fb37c977fa57c7d58d26a84

Restart Required: Yes

Instructions:

1. Backup your OpenNMS configuration and database. 2. Update to OpenNMS Horizon 27.1.1+ or OpenNMS Meridian 2020.1.7+. 3. Restart the OpenNMS service. 4. Verify the fix by checking the version and testing CSRF protection.

🔧 Temporary Workarounds

Implement CSRF Protection

all

Add CSRF tokens to the vulnerable endpoint manually if patching is not immediately possible.

Modify /opennms/admin/userGroupView/users/updateUser endpoint to include CSRF tokens

Network Segmentation

all

Restrict access to OpenNMS admin interface to trusted networks only.

Configure firewall rules to limit access to OpenNMS admin port (8980 by default) to authorized IPs only

🧯 If You Can't Patch

Implement strict network segmentation to isolate OpenNMS admin interface from untrusted networks
Use browser extensions that block CSRF attacks and educate administrators about phishing risks

🔍 How to Verify

Check if Vulnerable:

Check OpenNMS version against affected ranges. If version is within affected range and CSRF protection is not implemented at /opennms/admin/userGroupView/users/updateUser, the system is vulnerable.

Check Version:

opennms version

Verify Fix Applied:

Verify OpenNMS version is 27.1.1+ for Horizon or 2020.1.7+ for Meridian. Test that CSRF tokens are required for the updateUser endpoint.

📡 Detection & Monitoring

Log Indicators:

Unexpected user privilege escalation events
Multiple failed login attempts followed by successful admin actions
Requests to /opennms/admin/userGroupView/users/updateUser without CSRF tokens

Network Indicators:

Unusual traffic patterns to OpenNMS admin interface from unexpected sources
HTTP POST requests to updateUser endpoint without referrer validation

SIEM Query:

source="opennms" AND (event_type="user_privilege_change" OR url_path="/admin/userGroupView/users/updateUser")

📊 Metadata

CVE ID: CVE-2021-25931

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: May 20, 2021

Last Updated: April 30, 2025

🔗 References

https://github.com/OpenNMS/opennms/commit/607151ea8f90212a3fb37c977fa57c7d58d26a84 Patch,Third Party Advisory
https://github.com/OpenNMS/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c Patch,Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25931 Exploit,Third Party Advisory
https://github.com/OpenNMS/opennms/commit/607151ea8f90212a3fb37c977fa57c7d58d26a84 Patch,Third Party Advisory
https://github.com/OpenNMS/opennms/commit/eb08b5ed4c5548f3e941a1f0d0363ae4439fa98c Patch,Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25931 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25931, you might also want to check these: