CVE-2020-25144
Description
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to directory traversal and local file inclusion due to the fact that there is an unrestricted possibility of loading any file with an inc.php extension. Inclusion of other files (even though limited to the mentioned extension) can lead to Remote Code Execution. This can occur via /apps/?app=../ URIs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Observium 20.8.10631 has a directory traversal in the apps module allowing authenticated local file inclusion that can lead to remote code execution.
Vulnerability
Observium Professional, Enterprise & Community version 20.8.10631 contains a directory traversal vulnerability in the apps module. The app parameter in /apps/?app=... URIs is not sanitized, allowing an attacker to traverse directories and include arbitrary files with a .inc.php extension from any location on the filesystem [1]. This unrestricted inclusion enables loading of files outside the web root.
Exploitation
An authenticated attacker can exploit this by sending a GET request to /apps/?app=../../../path/to/file where the path points to a file that will have .inc.php appended automatically. For example, the request GET /apps/?app=../../../includes/polling/wmi loads the file wmi.inc.php from the includes/polling directory [1]. No additional user interaction is required.
Impact
Successful exploitation allows an attacker to include arbitrary .inc.php files, which can lead to remote code execution if the included file contains executable PHP code [1]. This can result in full compromise of the Observium installation and potentially the underlying server, as the attacker gains code execution in the context of the web server.
Mitigation
As of the publication date (2020-09-25), no official patch was available. Users should monitor Observium for updates. A workaround is to restrict access to the /apps/ endpoint via web server configuration (e.g., .htaccess) to trusted IP addresses, or disable the apps module if not required. The vulnerability is not listed in CISA KEV as of this writing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Observium/Observium Professional, Enterprise & Communitydescription
- Range: = 20.8.10631
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- gist.github.com/ahpaleus/f2843deea7f90e5b371e5c0370fb7775mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.