PHP Remote File Inclusion Affecting librenms/librenms package, versions <25.7.0
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-LIBRENMSLIBRENMS-11023379
- published28 Jul 2025
- disclosed21 Jul 2025
- creditSeth Kraft
Introduced: 21 Jul 2025
NewCVE-2025-54138 (opens in a new tab)How to fix?
Upgrade librenms/librenms to version 25.7.0 or higher.
Overview
librenms/librenms is a fully featured network monitoring system that provides a wealth of features and device support.
Affected versions of this package are vulnerable to PHP Remote File Inclusion via the ajax_form.php process. An attacker can execute arbitrary code on the server by controlling a file or symlink at the includes/html/forms/{type}.inc.php path and sending crafted POST requests. This is only exploitable if the attacker is authenticated and has the ability to place or control files in the include directory.