CVE-2024-51092 Overview
CVE-2024-51092 is an OS command injection vulnerability [CWE-78] affecting LibreNMS versions prior to 24.10.0. LibreNMS is an open-source network monitoring system widely deployed for device polling, alerting, and performance graphing. The flaw resides in three components: AboutController.php's index() method, SettingsController.php's update() method, and PollDevice.php's initRrdDirectory() function. An authenticated remote attacker can inject operating system commands that the LibreNMS application executes on the underlying host. A Metasploit module targeting this vulnerability is publicly available, increasing the practical risk to exposed installations.
Critical Impact
Authenticated attackers can execute arbitrary OS commands on LibreNMS servers, leading to full host compromise and pivoting into monitored network infrastructure.
Affected Products
- LibreNMS versions before 24.10.0
- Self-hosted LibreNMS deployments on Linux
- Network monitoring environments exposing the LibreNMS web interface
Discovery Timeline
- 2026-05-08 - CVE-2024-51092 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2024-51092
Vulnerability Analysis
The vulnerability is classified as OS Command Injection [CWE-78]. LibreNMS passes user-controllable input into shell contexts without adequate sanitization across three distinct code paths. The AboutController.phpindex() action exposes diagnostic information generation that incorporates attacker-influenced values. The SettingsController.phpupdate() action persists configuration values that are later interpolated into command strings. The PollDevice.phpinitRrdDirectory() function constructs filesystem paths used in shell-executed RRDtool operations. The EPSS probability of 38.743% (97.306 percentile) reflects active interest from offensive tooling, including the public Metasploit exploit module.
Root Cause
The root cause is improper neutralization of special elements before they reach an OS command interpreter. LibreNMS relies on shell execution for several monitoring primitives, including RRD file management and system introspection. User input from authenticated sessions reaches these shell calls without strict allowlisting or argument-array execution. Shell metacharacters such as backticks, semicolons, and $() substitutions break out of the intended argument context and execute arbitrary commands under the LibreNMS service account.
Attack Vector
The attack vector is network-based and requires low-privilege authentication to the LibreNMS web interface. An attacker submits crafted parameters to the vulnerable controllers or device polling settings. The injected payload is concatenated into a shell command and executed by the application user. Successful exploitation yields code execution in the context of LibreNMS, which typically holds credentials and SNMP community strings for every monitored device. The publicly available Metasploit exploit module automates this exploitation chain.
Detection Methods for CVE-2024-51092
Indicators of Compromise
- Unexpected child processes spawned by the LibreNMS PHP or web server process, such as sh, bash, nc, curl, or wget.
- HTTP POST requests to /about, /settings, or device polling endpoints containing shell metacharacters like ;, |, `, or $(.
- New or modified files under the LibreNMS RRD directory with executable permissions or non-standard names.
- Outbound network connections from the LibreNMS host to attacker-controlled infrastructure.
Detection Strategies
- Inspect web server access logs for requests targeting AboutController and SettingsController routes with encoded shell characters.
- Monitor process creation telemetry for the LibreNMS service user invoking interactive shells or download utilities.
- Apply file integrity monitoring to the LibreNMS application directory and any writable RRD paths.
Monitoring Recommendations
- Forward LibreNMS application, web server, and host process logs to a centralized analytics platform for correlation.
- Alert on authentication events to LibreNMS followed within minutes by anomalous outbound traffic from the host.
- Track configuration changes made through the settings UI and flag values containing shell control characters.
How to Mitigate CVE-2024-51092
Immediate Actions Required
- Upgrade LibreNMS to version 24.10.0 or later on all instances.
- Rotate credentials, API tokens, and SNMP community strings stored in or accessible from LibreNMS.
- Restrict access to the LibreNMS web interface to trusted management networks or a VPN.
- Audit existing LibreNMS user accounts and remove unused or shared low-privilege accounts.
Patch Information
The LibreNMS maintainers fixed the issue in version 24.10.0. Details are published in the LibreNMS GitHub Security Advisory GHSA-x645-6pf9-xwxw. Administrators should follow the standard LibreNMS update procedure, which pulls the patched release and runs database migrations.
Workarounds
- If immediate patching is not possible, block external access to the LibreNMS interface at the network perimeter.
- Enforce strong authentication and unique credentials for all LibreNMS users to reduce the exploitable user pool.
- Run LibreNMS under a dedicated, low-privilege system account with no sudo rights and a restrictive shell.
- Place a web application firewall in front of LibreNMS with rules blocking shell metacharacters in request parameters.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
