LibreNMS Remote File Inclusion Vulnerability in ajax_form.php Endpoint Allows Remote Code Execution

A remote file inclusion vulnerability has been identified in LibreNMS versions through 25.6.0. The issue resides in the ajax_form.php endpoint, where user-controlled POST input is used to dynamically include .inc.php files from the includes/html/forms/ directory. This inclusion is done without proper validation or allowlisting, creating a potential remote code execution vector if an attacker can place a file in the include path, such as through a symlink or a development misconfiguration.

Impact

Exploitation of this vulnerability allows authenticated users to include arbitrary files from the server, potentially leading to remote code execution under the context of the web server user.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the ajax_form.php endpoint with a crafted 'type' parameter that points to a malicious .inc.php file. If the specified file is included, the attacker can achieve remote code execution by staging a PHP file that executes system commands.

Remediation

Users can upgrade to LibreNMS version 25.7.0 or later, where this vulnerability has been patched.