CVE-2020-25149

Vulnerability

Observium Professional, Enterprise & Community version 20.8.10631 is vulnerable to directory traversal and local file inclusion in the device/health.inc.php script. The metric parameter in the URL /device/device=345/?tab=health&metric=... is not sanitized, allowing an attacker to traverse directories and include arbitrary files with a .inc.php extension. This includes files outside the web root, as demonstrated by the path ../../../../includes/polling/wmi [1].

Exploitation

An authenticated attacker can exploit this by sending a crafted GET request to the vulnerable endpoint. The attacker must have valid credentials to access the Observium web interface. By manipulating the metric parameter with directory traversal sequences (e.g., ../), the attacker can include any .inc.php file from the server's filesystem. The reference provides an example request: GET /device/device=345/?tab=health&metric=../../../../includes/polling/wmi [1]. No additional user interaction is required beyond authentication.

Impact

Successful exploitation allows the attacker to include arbitrary .inc.php files, which can lead to remote code execution (RCE) if the included file contains executable code or can be used to trigger further attacks. The vulnerability compromises the confidentiality, integrity, and availability of the affected system, potentially granting the attacker full control over the Observium instance.

Mitigation

As of the publication date (2020-09-25), no official patch or fixed version has been disclosed in the available references. Users are advised to restrict access to the Observium interface to trusted users only and monitor for any updates from the vendor. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.