cbcvebase.
CVE-2024-51092
published 2026-05-08

CVE-2024-51092: LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index()…

PriorityP275critical9.1CVSS 3.1
AVNACLPRLUINSCCHILAL
EXPLOIT
EPSS
6.93%
93.3th percentile
LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's initRrdDirectory().

Affected

2 ranges
VendorProductVersion rangeFixed in
librenmslibrenms< 24.10.024.10.0
librenmslibrenms>= 0 < 24.10.024.10.0

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/librenms_authenticated_rce_cve_2024_51092.rb
  • Monitor for OS command injection via shell_exec() calls triggered through LibreNMS web portal endpoints: AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's initRrdDirectory()
  • Alert on creation of anomalous or dangerous directory names on the filesystem by the LibreNMS web process user, as this is a prerequisite step in the exploit chain
  • Alert on unexpected modification of sensitive LibreNMS configuration parameters via the web portal (SettingsController update endpoint), especially when followed by shell_exec() invocations
  • Ensure LibreNMS is upgraded to version 24.10.0 or later; all versions before 24.10.0 are vulnerable to this authenticated RCE
  • ·Exploitation requires authentication to the LibreNMS web portal; unauthenticated attackers cannot directly trigger this vulnerability
  • ·The exploit is a two-stage chain: first abusing directory creation (initRrdDirectory) and configuration tampering (SettingsController), then triggering command injection via shell_exec(); detection logic must account for both stages
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.