3.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-65014

CVE-2025-65014: LibreNMS has Weak Password Policy

Summary

A Weak Password Policy vulnerability was identified in the user management functionality of the LibreNMS application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as 12345678. This exposes the platform to brute-force and credential stuffing attacks.

Details

Vulnerable Component: User creation / password definition

The application fails to enforce a strong password policy when creating new users. As a result, administrators can define trivial and well-known weak passwords, compromising the authentication security of the system.

PoC

Log in to the application using an Administrator account.
Navigate to the user management section:
Create a new user account using the password 12345678.

The application accepts the weak password without restrictions and creates the account successfully.

Impact

Weak password policy vulnerabilities can have severe consequences, including:

Increased risk of brute-force and credential stuffing attacks
Unauthorized access to user or administrative accounts
Privilege escalation through compromised credentials
Degradation of the overall security posture of the platform

Mitigation

Enforce a strong password policy (e.g., minimum of 12 characters with uppercase, lowercase, digits, and special characters).
Block the use of commonly known weak passwords (e.g., 12345678, password, admin, qwerty).

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-65014

CVE-2025-65014:

3.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
librenms/librenms	composer	< 25.11.0	25.11.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability was caused by a weak and inconsistently applied password policy across different user management functions in LibreNMS. The application failed to enforce strong password requirements, allowing administrators to set trivial passwords for user accounts. The analysis of the patch between the vulnerable version (25.10.0) and the patched version (25.11.0) revealed that the fix involved centralizing the password policy using Laravel's Password::defaults() functionality. This new, stronger policy was then applied to all user creation and password update pathways.

The identified vulnerable functions are the exact points where password data is processed and validated. Before the patch, these functions either had no password strength validation or only checked for a minimum length. The patch modifies these specific functions to enforce the new, secure password policy.

App\Http\Controllers\Install\MakeUserController::create: Handles the initial admin user creation during setup. It was vulnerable as it only required a password to be present.
App\Http\Requests\StoreUserRequest::rules: Defines validation for new user creation via the web UI. It was vulnerable due to only checking for minimum password length.
App\Http\Requests\UpdateUserRequest::rules: Defines validation for user password changes. It was also vulnerable by only checking for minimum length.
App\Console\Commands\AddUserCommand::handle: Manages user creation from the command line and previously had no password strength validation at all.

By identifying these specific functions, a security engineer can confirm if their runtime environment is affected by monitoring these exact methods for invocations that could indicate exploitation or insecure configurations.

Vulnerable functions

App\Http\Controllers\Install\MakeUserController::create

app/Http/Controllers/Install/MakeUserController.php

This function is used to create the initial administrator user during the LibreNMS installation process. The validation rule for the password was changed from simply 'required' to use the new `Password::defaults()` rule. The original implementation allowed the creation of an admin user with a weak password, as it only checked for the presence of a password, not its strength.

App\Http\Requests\StoreUserRequest::rules

app/Http/Requests/StoreUserRequest.php

This function defines the validation rules for creating a new user through the web interface. The original rule for 'new_password' only enforced a minimum length, which is insufficient for a strong password policy. The patch replaces this with `Password::defaults()`, which enforces a much stronger and configurable policy, including checks for compromised passwords.

App\Http\Requests\UpdateUserRequest::rules

app/Http/Requests/UpdateUserRequest.php

This function sets the validation rules for updating an existing user's information, including their password. Similar to user creation, the old rule only checked for a minimum password length. The patch applies the new `Password::defaults()` policy to ensure that when a user's password is changed, it must adhere to the new, stronger requirements.

App\Console\Commands\AddUserCommand::handle

app/Console/Commands/AddUserCommand.php

This function handles the creation of users via the command-line interface. The entire method was refactored to add proper validation. Previously, it would accept any password provided. The patch introduces the `passwordRules()` method, which leverages `Password::defaults()` to enforce the strong password policy for users created via the CLI.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-65014: LibreNMS has Weak Password Policy

Summary

Details

PoC

Impact

Mitigation

CVE-2025-65014:

3.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2025-65014: LibreNMS has Weak Password Policy

Summary

Details

PoC

Impact

Mitigation

3.7

3.7

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI