Overview
A medium severity security vulnerability, identified as CVE-2025-65093, has been discovered in LibreNMS, a popular auto-discovering PHP/MySQL/SNMP based network monitoring tool. This vulnerability is a boolean-based blind SQL injection located in the /ajax_output.php endpoint. Successful exploitation could allow an attacker to extract sensitive information from the LibreNMS database.
Technical Details
The vulnerability resides in the way the hostname parameter is handled within the /ajax_output.php endpoint. This parameter is directly interpolated into an SQL query without proper sanitization or the use of parameterized queries. This allows an attacker to inject malicious SQL code into the query by manipulating the hostname parameter.
Specifically, by crafting carefully designed boolean expressions within the hostname parameter, an attacker can infer data from the database through observing conditional responses. Because it’s a *blind* SQL injection, the attacker doesn’t receive direct output. Instead, they must deduce information based on the application’s behavior, such as changes in response time or content depending on the truthfulness of the injected boolean expression.
CVSS Analysis
This vulnerability has been assigned a CVSS score of 5.5, indicating a MEDIUM severity. The CVSS vector is likely AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. This reflects the relative ease of exploitation (network access, low attack complexity, low privileges required) and the limited impact (confidentiality impact is low, no integrity or availability impact). While the impact is not catastrophic, the potential to expose sensitive network configuration information makes this a serious concern.
Possible Impact
A successful exploit of CVE-2025-65093 could allow an attacker to:
- Extract sensitive information from the LibreNMS database, such as:
- Network device credentials
- Configuration details
- User information
- Potentially pivot to other attacks within the network if credentials are compromised.
Mitigation and Patch Steps
The vulnerability has been patched in LibreNMS version 25.11.0. It is strongly recommended that all users of LibreNMS upgrade to version 25.11.0 or later as soon as possible.
If upgrading is not immediately possible, consider implementing the following temporary mitigations:
- Implement strict input validation and sanitization on the
hostnameparameter. - Deploy a Web Application Firewall (WAF) to filter potentially malicious SQL injection attempts. Configure rules to block suspicious characters and patterns in the
hostnameparameter. - Monitor LibreNMS logs for any suspicious activity related to the
/ajax_output.phpendpoint.
