CVE-2025-65093 in LibreNMS
Summary
by MITRE • 11/19/2025
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a boolean-based blind SQL injection vulnerability was identified in the LibreNMS application at the /ajax_output.php endpoint. The hostname parameter is interpolated directly into an SQL query without proper sanitization or parameter binding, allowing an attacker to manipulate the query logic and infer data from the database through conditional responses. This issue has been patched in version 25.11.0.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/20/2025
The vulnerability CVE-2025-65093 represents a critical boolean-based blind sql injection flaw in the LibreNMS network monitoring platform that affects versions prior to 25.11.0. This security weakness exists within the ajax_output.php endpoint where the hostname parameter is directly incorporated into sql queries without adequate input validation or parameter binding mechanisms. The flaw stems from improper sanitization practices that allow malicious actors to manipulate database query logic through crafted input values, creating a pathway for unauthorized data extraction and system compromise.
The technical implementation of this vulnerability demonstrates a classic sql injection attack vector where an attacker can exploit the lack of proper input sanitization to manipulate the sql execution flow. When the hostname parameter is processed through the /ajax_output.php endpoint, the application fails to employ parameterized queries or adequate input filtering, enabling attackers to construct malicious sql payloads that trigger conditional responses. This boolean-based approach allows threat actors to infer database contents through response timing variations or conditional logic outcomes, effectively enabling data exfiltration without direct sql command execution capabilities.
From an operational impact perspective, this vulnerability poses significant risks to network monitoring environments that rely on LibreNMS for infrastructure management. Attackers could potentially extract sensitive information including user credentials, network configurations, device details, and other database contents that would normally be protected by proper access controls. The vulnerability affects the core functionality of the monitoring system and could lead to complete system compromise, unauthorized access to network devices, and potential lateral movement within the monitored network infrastructure. The impact extends beyond simple data theft to include potential disruption of network monitoring capabilities and compromise of security posture.
Security professionals should immediately upgrade to LibreNMS version 25.11.0 or later to remediate this vulnerability, as the patch addresses the root cause through proper input sanitization and parameter binding implementations. Organizations should also implement network segmentation and access controls to limit exposure, while monitoring for suspicious activity around the affected ajax_output.php endpoint. The vulnerability aligns with CWE-89 which categorizes sql injection flaws and relates to ATT&CK technique T1190 for exploiting vulnerabilities in web applications. Additional mitigations include implementing web application firewalls, conducting regular security assessments, and establishing proper input validation controls throughout the application stack to prevent similar injection vulnerabilities from occurring in other components of the monitoring infrastructure.