High severityNVD Advisory· Published Jul 22, 2025· Updated Jul 23, 2025

LibreNMS has Authenticated Local File Inclusion in ajax_form.php that Allows RCE

CVE-2025-54138

Description

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. LibreNMS versions 25.6.0 and below contain an architectural vulnerability in the ajax_form.php endpoint that permits Remote File Inclusion based on user-controlled POST input. The application directly uses the type parameter to dynamically include .inc.php files from the trusted path includes/html/forms/, without validation or allowlisting. This pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path — for example, via symlink, development misconfiguration, or chained vulnerabilities. This is fixed in version 25.7.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

LibreNMS <=25.6.0 allows remote file inclusion via unvalidated 'type' parameter in ajax_form.php, enabling potential RCE if attacker can place a file in the include path.

Vulnerability

Details

The ajax_form.php endpoint in LibreNMS versions 25.6.0 and below contains an architectural vulnerability that permits Remote File Inclusion (RFI) based on user-controlled POST input. The application directly uses the type parameter to dynamically include .inc.php files from the trusted path includes/html/forms/, without performing any validation or allowlisting of allowed values [1]. This pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path — for example, via symlink, development misconfiguration, or chained vulnerabilities [1].

Exploitation

An attacker can send a crafted POST request to ajax_form.php with a malicious type value. The application will then attempt to include the corresponding file from includes/html/forms/. While direct inclusion of arbitrary files outside this directory is not possible due to the hardcoded path, the vulnerability becomes critical if the attacker can write a file into that directory. This could be achieved through other vulnerabilities (e.g., arbitrary file write), symlink attacks, or misconfigurations that allow file uploads to that location [1].

Impact

If an attacker successfully stages a malicious .inc.php file in the include path, they can achieve arbitrary PHP code execution on the server. This would allow full compromise of the LibreNMS instance, including access to sensitive network monitoring data, credentials, and potential lateral movement within the network [1].

Mitigation

The vulnerability is fixed in LibreNMS version 25.7.0 [2]. The fix replaces the dynamic include with a strict allowlist (match statement) that maps allowed type values to specific file paths, preventing inclusion of any unlisted files [3]. Users are strongly advised to upgrade to version 25.7.0 or later immediately.

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
librenms/librenmsPackagist	< 25.7.0	25.7.0

Affected products

Librenms/Librenmsllm-fuzzy2 versions
<=25.6.0+ 1 more
- (no CPE)range: <=25.6.0
- (no CPE)range: < 25.7.0

Patches

ec89714d929e

Added ajax_form fixed include list (#17990)

https://github.com/librenms/librenmsTony MurrayJul 1, 2025via ghsa

commit

1 file changed · +68 −5

html/ajax_form.php+68 −5 modified

@@ -21,10 +21,73 @@
     exit('Unauthorized');
 }
 
-Debug::set(isset($_REQUEST['debug']) ? $_REQUEST['debug'] : false);
+Debug::set(isset($_REQUEST['debug']));
 
-if (preg_match('/^[a-zA-Z0-9\-]+$/', $_POST['type']) == 1) {
-    if (file_exists('includes/html/forms/' . $_POST['type'] . '.inc.php')) {
-        include_once 'includes/html/forms/' . $_POST['type'] . '.inc.php';
-    }
+$ajax_form = match ($_POST['type'] ?? '') {
+    'alert-details' => 'includes/html/forms/alert-details.inc.php',
+    'alert-notes' => 'includes/html/forms/alert-notes.inc.php',
+    'alert-rules' => 'includes/html/forms/alert-rules.inc.php',
+    'alert-templates' => 'includes/html/forms/alert-templates.inc.php',
+    'alert-transports' => 'includes/html/forms/alert-transports.inc.php',
+    'application-update' => 'includes/html/forms/application-update.inc.php',
+    'component' => 'includes/html/forms/component.inc.php',
+    'convert-template' => 'includes/html/forms/convert-template.inc.php',
+    'create-service' => 'includes/html/forms/create-service.inc.php',
+    'customoid' => 'includes/html/forms/customoid.inc.php',
+    'delete-alert-rule' => 'includes/html/forms/delete-alert-rule.inc.php',
+    'delete-alert-template' => 'includes/html/forms/delete-alert-template.inc.php',
+    'delete-alert-transport' => 'includes/html/forms/delete-alert-transport.inc.php',
+    'delete-cluster-poller' => 'includes/html/forms/delete-cluster-poller.inc.php',
+    'delete-customoid' => 'includes/html/forms/delete-customoid.inc.php',
+    'delete-host-dependency' => 'includes/html/forms/delete-host-dependency.inc.php',
+    'delete-poller' => 'includes/html/forms/delete-poller.inc.php',
+    'delete-service' => 'includes/html/forms/delete-service.inc.php',
+    'delete-transport-group' => 'includes/html/forms/delete-transport-group.inc.php',
+    'get-host-dependencies' => 'includes/html/forms/get-host-dependencies.inc.php',
+    'mempool-update' => 'includes/html/forms/mempool-update.inc.php',
+    'notifications' => 'includes/html/forms/notifications.inc.php',
+    'override-config' => 'includes/html/forms/override-config.inc.php',
+    'parse-alert-rule' => 'includes/html/forms/parse-alert-rule.inc.php',
+    'parse-alert-template' => 'includes/html/forms/parse-alert-template.inc.php',
+    'parse-customoid' => 'includes/html/forms/parse-customoid.inc.php',
+    'parse-poller-groups' => 'includes/html/forms/parse-poller-groups.inc.php',
+    'parse-service' => 'includes/html/forms/parse-service.inc.php',
+    'poller-groups' => 'includes/html/forms/poller-groups.inc.php',
+    'processor-update' => 'includes/html/forms/processor-update.inc.php',
+    'rediscover-device' => 'includes/html/forms/rediscover-device.inc.php',
+    'refresh-oxidized-node' => 'includes/html/forms/refresh-oxidized-node.inc.php',
+    'reload-oxidized-nodes-list' => 'includes/html/forms/reload-oxidized-nodes-list.inc.php',
+    'reset-port-state' => 'includes/html/forms/reset-port-state.inc.php',
+    'routing-update' => 'includes/html/forms/routing-update.inc.php',
+    'save-host-dependency' => 'includes/html/forms/save-host-dependency.inc.php',
+    'schedule-maintenance' => 'includes/html/forms/schedule-maintenance.inc.php',
+    'search-oxidized-config' => 'includes/html/forms/search-oxidized-config.inc.php',
+    'sensor-alert-reset' => 'includes/html/forms/sensor-alert-reset.inc.php',
+    'sensor-alert-update' => 'includes/html/forms/sensor-alert-update.inc.php',
+    'sensor-update' => 'includes/html/forms/sensor-update.inc.php',
+    'show-alert-transport' => 'includes/html/forms/show-alert-transport.inc.php',
+    'show-transport-group' => 'includes/html/forms/show-transport-group.inc.php',
+    'sql-from-alert-collection' => 'includes/html/forms/sql-from-alert-collection.inc.php',
+    'sql-from-alert-rules' => 'includes/html/forms/sql-from-alert-rules.inc.php',
+    'storage-update' => 'includes/html/forms/storage-update.inc.php',
+    'token-item-create' => 'includes/html/forms/token-item-create.inc.php',
+    'token-item-disable' => 'includes/html/forms/token-item-disable.inc.php',
+    'token-item-remove' => 'includes/html/forms/token-item-remove.inc.php',
+    'transport-groups' => 'includes/html/forms/transport-groups.inc.php',
+    'update-alert-rule' => 'includes/html/forms/update-alert-rule.inc.php',
+    'update-ifalias' => 'includes/html/forms/update-ifalias.inc.php',
+    'update-ifspeed' => 'includes/html/forms/update-ifspeed.inc.php',
+    'update-port-notes' => 'includes/html/forms/update-port-notes.inc.php',
+    'update-ports' => 'includes/html/forms/update-ports.inc.php',
+    'wireless-sensor-alert-reset' => 'includes/html/forms/wireless-sensor-alert-reset.inc.php',
+    'wireless-sensor-alert-update' => 'includes/html/forms/wireless-sensor-alert-update.inc.php',
+    'wireless-sensor-update' => 'includes/html/forms/wireless-sensor-update.inc.php',
+    default => null,
+};
+
+if (! $ajax_form || ! file_exists($ajax_form)) {
+    http_response_code(400);
+    exit('Invalid form type');
 }
+
+include_once $ajax_form;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-gq96-8w38-hhj2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-54138ghsaADVISORY
github.com/librenms/librenms/commit/ec89714d929ef0cf2321957ed9198b0f18396c81ghsax_refsource_MISCWEB
github.com/librenms/librenms/pull/17990ghsax_refsource_MISCWEB
github.com/librenms/librenms/releases/tag/25.7.0ghsax_refsource_MISCWEB
github.com/librenms/librenms/security/advisories/GHSA-gq96-8w38-hhj2ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000