CVE-2020-25145
Description
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to directory traversal and local file inclusion due to the fact that there is an unrestricted possibility of loading any file with an inc.php extension. Inclusion of other files (even though limited to the mentioned extension) can lead to Remote Code Execution. This can occur via /device/device=345/?tab=ports&view=../ URIs because of device/port.inc.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Observium 20.8.10631 is vulnerable to directory traversal and local file inclusion via device/port.inc.php, enabling remote code execution through inclusion of arbitrary .inc.php files.
Vulnerability
Observium Professional, Enterprise & Community version 20.8.10631 contains a directory traversal vulnerability in the device/port.inc.php file. The view parameter in the URL /device/device=345/?tab=ports&view=../ is not properly sanitized, allowing an attacker to traverse directories and include arbitrary files with a .inc.php extension. This unrestricted file inclusion can lead to remote code execution [1].
Exploitation
An authenticated attacker can exploit this vulnerability by sending a crafted GET request to the Observium server. For example, the request GET /device/device=345/?tab=ports&view=../../../../includes/polling/wmi HTTP/1.1 includes the file wmi.inc.php from the includes/polling/ directory. The attacker can include any .inc.php file on the system, including those that contain executable PHP code, by adjusting the path traversal depth [1].
Impact
Successful exploitation allows an authenticated attacker to include arbitrary .inc.php files, leading to remote code execution. This can result in full compromise of the Observium server, including data exfiltration, privilege escalation, and potential lateral movement within the network.
Mitigation
Observium has likely addressed this vulnerability in a version later than 20.8.10631. Users should upgrade to the latest available version. No official workaround is documented. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Observium/Observium Professional, Enterprise & Communitydescription
- Range: = 20.8.10631
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- gist.github.com/ahpaleus/578186667e18607bb37bab9b0f66ad99mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.