Blind Faith: Uncovering SQL Injection in LibreNMS
Vulnerability ID: CVE-2025-65093
CVSS Score: 5.5
Published: 2025-11-18
A boolean-based Blind SQL Injection vulnerability in LibreNMS allows authenticated administrators to extract arbitrary database information via the hostname parameter in the /ajax_output.php endpoint.
TL;DR
LibreNMS prior to version 25.11.0 contains a Blind SQL Injection vulnerability. Although it requires administrator privileges, it allows for complete database enumeration via boolean inference. The flaw resides in the /ajax_output.php script where user input is directly concatenated into a SQL query.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-89 (SQL Injection)
- Attack Vector: Network (Admin Auth Required)
- CVSS v3.1: 5.5 (Medium)
- Exploit Status: PoC Available
- Impact: High Confidentiality Loss
- Vulnerable Param: hostname
Affected Systems
- LibreNMS < 25.11.0
-
LibreNMS: < 25.11.0 (Fixed in:
25.11.0)
Code Analysis
Commit: d9f5730
Fix SQL injection in ajax_output.php
- $sql = "SELECT ... LIKE '$hostname'";
+ $sql = "SELECT ... LIKE ?";
+ $params = [$hostname];
Exploit Details
- Manual PoC: Boolean-based inference using logic operators in the hostname parameter.
Mitigation Strategies
- Input Validation
- Parameter Binding
- Web Application Firewall (WAF)
Remediation Steps:
- Upgrade LibreNMS to version 25.11.0 or later immediately.
- Verify that the
hostnameparameter in/ajax_output.phpis no longer vulnerable by attempting the PoC against a test instance. - Review web server logs for past requests to
ajax_output.phpcontaining SQL syntax (AND, OR, SELECT, UNION) to detect potential prior exploitation.
References
Read the full report for CVE-2025-65093 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)