CVE-2024-51092
published 2026-05-08CVE-2024-51092: LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index()…
PriorityP275critical9.1CVSS 3.1
AVNACLPRLUINSCCHILAL
EXPLOIT
EPSS
6.93%
93.3th percentile
LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's initRrdDirectory().
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| librenms | librenms | < 24.10.0 | 24.10.0 |
| librenms | librenms | >= 0 < 24.10.0 | 24.10.0 |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/librenms_authenticated_rce_cve_2024_51092.rb↗
- →Monitor for OS command injection via shell_exec() calls triggered through LibreNMS web portal endpoints: AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's initRrdDirectory() ↗
- →Alert on creation of anomalous or dangerous directory names on the filesystem by the LibreNMS web process user, as this is a prerequisite step in the exploit chain ↗
- →Alert on unexpected modification of sensitive LibreNMS configuration parameters via the web portal (SettingsController update endpoint), especially when followed by shell_exec() invocations ↗
- →Ensure LibreNMS is upgraded to version 24.10.0 or later; all versions before 24.10.0 are vulnerable to this authenticated RCE ↗
- ·Exploitation requires authentication to the LibreNMS web portal; unauthenticated attackers cannot directly trigger this vulnerability ↗
- ·The exploit is a two-stage chain: first abusing directory creation (initRrdDirectory) and configuration tampering (SettingsController), then triggering command injection via shell_exec(); detection logic must account for both stages ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
LibreNMS has an Authenticated OS Command Injection
osv·2024-11-15
CVE-2024-51092 [CRITICAL] LibreNMS has an Authenticated OS Command Injection
LibreNMS has an Authenticated OS Command Injection
### Summary
An authenticated attacker can create dangerous directory names on the system and alter sensitive configuration parameters through the web portal. Those two defects combined then allows to inject arbitrary OS commands inside `shell_exec()` calls, thus achieving arbitrary code execution.
### Details
#### OS Command Injection
We start by inspecting the file `app/Http/Controllers/AboutController.php`, more particularly the index() method which is executed upon simply visiting the /about page:
```php
public function index(Request $request)
{
$version = Version::get();
return view('about.index', [
'version_webserver' => $request->server('SERVER_SOFTWARE'),
'version_rrdtool' => Rrd::version(),
'version_netsnmp' => str_replace('ve
GHSA
LibreNMS has an Authenticated OS Command Injection
ghsa·2024-11-15
CVE-2024-51092 [CRITICAL] CWE-78 LibreNMS has an Authenticated OS Command Injection
LibreNMS has an Authenticated OS Command Injection
### Summary
An authenticated attacker can create dangerous directory names on the system and alter sensitive configuration parameters through the web portal. Those two defects combined then allows to inject arbitrary OS commands inside `shell_exec()` calls, thus achieving arbitrary code execution.
### Details
#### OS Command Injection
We start by inspecting the file `app/Http/Controllers/AboutController.php`, more particularly the index() method which is executed upon simply visiting the /about page:
```php
public function index(Request $request)
{
$version = Version::get();
return view('about.index', [
'version_webserver' => $request->server('SERVER_SOFTWARE'),
'version_rrdtool' => Rrd::version(),
'version_netsnmp' => str_replace('ve
No detection rules found.
2026-05-08
Published