LibreNMS Weak Password Policy Vulnerability

A weak password policy vulnerability has been identified in LibreNMS versions prior to 25.11.0. This issue allows administrators to create user accounts with very weak and easily guessable passwords, such as '12345678'. As a result, the application is vulnerable to brute-force and credential stuffing attacks. The vulnerability arises because the user management feature does not enforce a strong password policy, allowing trivial passwords that compromise authentication security.

Impact

The weak password policy increases the risk of unauthorized access to user or administrative accounts, potentially leading to privilege escalation through compromised credentials. This vulnerability also degrades the overall security posture of the platform.

Reproduction

To reproduce this vulnerability, log in to LibreNMS with an administrator account. Navigate to the user management section and create a new user account, using '12345678' as the password. The application will accept this weak password and create the account without any restrictions.

Remediation

Users are advised to update to LibreNMS version 25.11.0 or later, and to enforce a strong password policy that includes a minimum of 12 characters with a mix of uppercase letters, lowercase letters, digits, and special characters. Additionally, commonly known weak passwords should be blocked.