CVE-2024-51092
Published: 08 May 2026
Summary
CVE-2024-51092 is a critical-severity OS Command Injection (CWE-78) vulnerability in Librenms Librenms. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 6.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
LibreNMS versions prior to 24.10.0 contain an OS command injection vulnerability tracked as CVE-2024-51092 and assigned CWE-78. The flaw resides in the index() method of AboutController.php, the update() method of SettingsController.php, and the initRrdDirectory() method of PollDevice.php, enabling remote code execution when attacker-controlled input reaches operating-system command execution paths.
An authenticated remote attacker with low privileges can supply crafted input to these controllers and achieve arbitrary code execution on the underlying host. The CVSS 9.1 score reflects network attack vector, low complexity, and changed scope, allowing confidentiality, integrity, and availability impacts that extend beyond the vulnerable application.
Public references include the GitHub Security Advisory GHSA-x645-6pf9-xwxw, which documents the affected components and the availability of a fix in version 24.10.0, along with a Metasploit module that implements the exploit.
The EPSS score rose sharply from low values to a peak of 0.7331 on 2026-05-09, the day after disclosure, before receding to the current 0.4411; this trajectory indicates that exploitation interest materialized quickly after the advisory was published.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-55572
Vulnerability details
LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's initRrdDirectory().
- CWE(s)
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted input before it reaches OS command execution paths in AboutController, SettingsController, and PollDevice.
Enforces least privilege on the web application and authenticated users so that even successful injection yields minimal host access.
Mandates timely application of the vendor patch that eliminates the command-injection flaws in the three affected PHP methods.