CVE-2025-54138: 
PHP vulnerability analysis and mitigation

CVE-2025-54138 affects LibreNMS versions 25.6.0 and below, which contains an architectural vulnerability in the ajax_form.php endpoint. The vulnerability was discovered and disclosed on July 22, 2025, affecting the PHP/MySQL/SNMP-based network monitoring system. The issue permits Remote File Inclusion based on user-controlled POST input, potentially leading to Remote Code Execution (RCE) (GitHub Advisory).

The vulnerability exists in the ajax_form.php endpoint where the application directly uses the type parameter to dynamically include .inc.php files from the trusted path includes/html/forms/ without proper validation or allowlisting. The CVSS v3.1 score is 7.5 (High) with the vector string AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) (GitHub Advisory, NVD).

If successfully exploited, this vulnerability could lead to Remote Code Execution (RCE) under the librenms user context. The impact affects system confidentiality, integrity, and availability with high severity ratings. An attacker could potentially execute arbitrary code if they can stage a file in the include path through methods such as symlink, development misconfiguration, or chained vulnerabilities (GitHub Advisory).

The vulnerability has been fixed in LibreNMS version 25.7.0. The recommended fix includes implementing strict allow listing or hardcoded routing instead of dynamically including user-supplied filenames, avoiding passing raw POST input into include_once, and ensuring the inclusion path is immutable and outside attacker control (GitHub Release, GitHub Advisory).