CVE-2025-23200
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in LibreNMS allows attackers to inject malicious scripts through the state parameter in ajax_form.php. When users view pages containing the injected data, the scripts execute automatically, potentially leading to session hijacking, data theft, or unauthorized actions. All LibreNMS users running versions up to 24.10.1 are affected.
💻 Affected Systems
- LibreNMS
📦 What is this software?
Librenms by Librenms
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, compromise the entire monitoring system, pivot to other systems, or deploy ransomware across monitored infrastructure.
Likely Case
Attackers steal session cookies to impersonate users, modify monitoring configurations, or exfiltrate sensitive network data.
If Mitigated
With proper input validation and output encoding, the attack fails to execute, though the malicious payload might still be stored.
🎯 Exploit Status
Exploitation requires the ability to submit data to the vulnerable parameter, which typically requires some level of access. The advisory suggests the vulnerability is in the web interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.11.0
Vendor Advisory: https://github.com/librenms/librenms/security/advisories/GHSA-c66p-64fj-jmc2
Restart Required: No
Instructions:
1. Backup your LibreNMS configuration and database. 2. Update LibreNMS using your preferred method (git pull, package update, or manual download). 3. Run ./daily.sh to update the database schema if needed. 4. Verify the update by checking the version in the web interface.
🔧 Temporary Workarounds
No official workarounds
allThe vendor advisory states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Implement strict web application firewall (WAF) rules to block XSS payloads in the state parameter
- Restrict access to the LibreNMS web interface to trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check your LibreNMS version via the web interface (Admin → About) or command line: grep version /opt/librenms/LibreNMS/Config/Version.phpCheck Version:
grep version /opt/librenms/LibreNMS/Config/Version.phpVerify Fix Applied:
Confirm version is 24.11.0 or higher. Test the ajax_form.php endpoint with XSS payloads to ensure they're properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to ajax_form.php with JavaScript in parameters
- Multiple failed XSS attempts in web server logs
Network Indicators:
- HTTP requests containing script tags or JavaScript in the state parameter
SIEM Query:
source="web_access.log" AND uri="/ajax_form.php" AND (state CONTAINS "<script>" OR state CONTAINS "javascript:")