CVE-2025-65093
📋 TL;DR
CVE-2025-65093 is a boolean-based blind SQL injection vulnerability in LibreNMS's /ajax_output.php endpoint. Attackers can manipulate the hostname parameter to infer database contents through conditional responses. All LibreNMS installations prior to version 25.11.0 are affected.
💻 Affected Systems
- LibreNMS
📦 What is this software?
Librenms by Librenms
⚠️ Risk & Real-World Impact
Worst Case
Full database compromise including sensitive credentials, configuration data, and network monitoring information leading to complete system takeover.
Likely Case
Data exfiltration of sensitive information such as SNMP credentials, network device configurations, and user credentials.
If Mitigated
Limited information disclosure if database contains minimal sensitive data and proper network segmentation exists.
🎯 Exploit Status
Exploitation requires understanding of boolean-based blind SQL injection techniques and may require authentication depending on endpoint access controls.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 25.11.0
Vendor Advisory: https://github.com/librenms/librenms/security/advisories/GHSA-6pmj-xjxp-p8g9
Restart Required: No
Instructions:
1. Backup your LibreNMS installation and database. 2. Update LibreNMS to version 25.11.0 or later using git: 'git pull origin master'. 3. Run database updates: './daily.sh'. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with SQL injection protection rules to block exploitation attempts.
Endpoint Restriction
linuxRestrict access to /ajax_output.php endpoint using web server configuration or network controls.
# Apache: <Location "/ajax_output.php"> Require all denied </Location>
# Nginx: location = /ajax_output.php { deny all; }
🧯 If You Can't Patch
- Implement strict input validation and parameterized queries in custom code if modifying source is possible.
- Isolate LibreNMS instance in a separate network segment with strict access controls and monitoring.
🔍 How to Verify
Check if Vulnerable:
Check LibreNMS version: 'grep \"version\" includes/definitions.inc.php' or via web interface at /ajax_output.php?hostname=test.Check Version:
grep "\$config['version']" includes/definitions.inc.phpVerify Fix Applied:
Confirm version is 25.11.0 or later and review the patched code in /ajax_output.php for parameterized queries.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in application logs
- Multiple requests to /ajax_output.php with crafted hostname parameters
- Database error logs showing SQL syntax errors
Network Indicators:
- HTTP requests containing SQL keywords (SELECT, UNION, etc.) in hostname parameter
- Abnormal request patterns to the vulnerable endpoint
SIEM Query:
source="web_logs" AND url="/ajax_output.php" AND (hostname="*SELECT*" OR hostname="*UNION*" OR hostname="*OR*" OR hostname="*AND*")