CVE-2025-54138
📋 TL;DR
This vulnerability in LibreNMS allows remote file inclusion via the ajax_form.php endpoint, potentially leading to remote code execution. Attackers can exploit this by controlling POST input to include arbitrary .inc.php files from the includes/html/forms/ directory. All LibreNMS installations running versions 25.6.0 and below are affected.
💻 Affected Systems
- LibreNMS
📦 What is this software?
Librenms by Librenms
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
File inclusion allowing information disclosure, limited code execution if attacker can stage files in include path.
If Mitigated
Unauthorized file inclusion attempts logged but blocked, no code execution.
🎯 Exploit Status
Exploitation requires ability to stage files in include path via symlink, misconfiguration, or chained vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 25.7.0
Vendor Advisory: https://github.com/librenms/librenms/security/advisories/GHSA-gq96-8w38-hhj2
Restart Required: No
Instructions:
1. Backup your LibreNMS installation and database. 2. Update to version 25.7.0 using git: 'git pull origin master'. 3. Run database updates: './daily.sh'. 4. Clear cache: './validate.php'.
🔧 Temporary Workarounds
Restrict ajax_form.php access
allBlock direct access to the vulnerable endpoint using web server configuration.
# For Apache: add to .htaccess
<Files "ajax_form.php">
Order deny,allow
Deny from all
</Files>
# For Nginx: add to server block
location ~ /ajax_form\.php$ {
deny all;
return 403;
}
🧯 If You Can't Patch
- Implement strict file system permissions to prevent unauthorized file writes to includes/html/forms/ directory.
- Deploy web application firewall (WAF) rules to block suspicious POST requests to ajax_form.php endpoint.
🔍 How to Verify
Check if Vulnerable:
Check LibreNMS version: grep 'version' includes/definitions.inc.php or view web interface footer.Check Version:
grep "\$config['project_name_version']" includes/definitions.inc.phpVerify Fix Applied:
Confirm version is 25.7.0 or higher and verify the commit ec89714d929ef0cf2321957ed9198b0f18396c81 is present.📡 Detection & Monitoring
Log Indicators:
- POST requests to /ajax_form.php with unusual type parameters
- File inclusion errors in web server logs
- Unauthorized file access attempts in includes/html/forms/
Network Indicators:
- HTTP POST requests to ajax_form.php with crafted type parameters
- Unusual outbound connections from LibreNMS server
SIEM Query:
source="web_access.log" AND uri="/ajax_form.php" AND method="POST" AND (type="*..*" OR type="*/..*" OR type="*../*")