CVE-2022-29712
Description
LibreNMS v22.3.0 is vulnerable to multiple command injections via service_ip, hostname, and service_param parameters when calling external check scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LibreNMS v22.3.0 is vulnerable to multiple command injections via service_ip, hostname, and service_param parameters when calling external check scripts.
Vulnerability
LibreNMS v22.3.0 contains multiple command injection vulnerabilities in the service monitoring functionality. The service_ip, hostname, and service_param parameters are passed unsanitized into shell commands executed by poll_service() in includes/functions.php [1]. Affected versions include any deployment running v22.3.0 (the specific version disclosed; the fix was applied in commit [3] after the report).
Exploitation
An attacker with authenticated access to the LibreNMS web interface (or the ability to modify service definitions through other means) can inject arbitrary shell commands by crafting malicious values for service_ip, hostname, or service_param. The injection occurs during service polling when the command /check_' . $service['service_type'] . ' -H ' . ($service['service_ip'] ?: $service['hostname']) . ' ' . $service['service_param'] is constructed without sanitization [4]. No special network position or race condition is required; the commands execute with the privileges of the LibreNMS application user.
Impact
Successful exploitation allows an attacker to execute arbitrary operating system commands on the LibreNMS server. This can lead to full compromise of the monitoring system, including data exfiltration of device credentials, modification of monitoring configurations, and potential lateral movement to managed network devices. The injection provides shell-level access with the same rights as the LibreNMS process (typically www-data or the dedicated LibreNMS user).
Mitigation
The fix was committed in the LibreNMS repository on commit 8b82341 (pull request #13932) [3]. The commit applies Clean::fileName() to service_type, service_ip, hostname, and overwrite_ip before using them in the command string, preventing special characters from breaking out of the intended argument. Administrators should upgrade to a version containing this fix (e.g., any release after v22.3.0 that includes the commit) or manually apply the patch. No workaround is available for unpatched instances; systems still on v22.3.0 should be updated immediately.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
librenms/librenmsPackagist | < 22.4.0 | 22.4.0 |
Affected products
2Patches
18b82341cb742Fix services command injection (#13932)
1 file changed · +6 −1
includes/services.inc.php+6 −1 modified@@ -4,6 +4,7 @@ use LibreNMS\Alert\AlertRules; use LibreNMS\Config; use LibreNMS\RRD\RrdDefinition; +use LibreNMS\Util\Clean; function get_service_status($device = null) { @@ -120,6 +121,10 @@ function poll_service($service) { $update = []; $old_status = $service['service_status']; + $service['service_type'] = Clean::fileName($service['service_type']); + $service['service_ip'] = Clean::fileName($service['service_ip']); + $service['hostname'] = Clean::fileName($service['hostname']); + $service['overwrite_ip'] = Clean::fileName($service['overwrite_ip']); $check_cmd = ''; // if we have a script for this check, use it. @@ -130,7 +135,7 @@ function poll_service($service) // If we do not have a cmd from the check script, build one. if ($check_cmd == '') { - $check_cmd = Config::get('nagios_plugins') . '/check_' . $service['service_type'] . ' -H ' . ($service['service_ip'] ? $service['service_ip'] : $service['hostname']); + $check_cmd = Config::get('nagios_plugins') . '/check_' . $service['service_type'] . ' -H ' . ($service['service_ip'] ?: $service['hostname']); $check_cmd .= ' ' . $service['service_param']; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-23f2-vgr6-fwv7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-29712ghsaADVISORY
- github.com/librenms/librenms/commit/8b82341cb742e7bd4966964b399012f7ba017e0bghsaWEB
- github.com/librenms/librenms/pull/13932ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.