Cyber Resilience

CVE-2024-51092

CriticalPublic PoCRCE

Published: 08 May 2026

Published
08 May 2026
Modified
12 May 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
EPSS Score 0.0693 93.3th percentile
Risk Priority 80 floored blend · peak EPSS

Summary

CVE-2024-51092 is a critical-severity OS Command Injection (CWE-78) vulnerability in Librenms Librenms. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 6.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

LibreNMS versions prior to 24.10.0 contain an OS command injection vulnerability tracked as CVE-2024-51092 and assigned CWE-78. The flaw resides in the index() method of AboutController.php, the update() method of SettingsController.php, and the initRrdDirectory() method of PollDevice.php, enabling remote code execution when attacker-controlled input reaches operating-system command execution paths.

An authenticated remote attacker with low privileges can supply crafted input to these controllers and achieve arbitrary code execution on the underlying host. The CVSS 9.1 score reflects network attack vector, low complexity, and changed scope, allowing confidentiality, integrity, and availability impacts that extend beyond the vulnerable application.

Public references include the GitHub Security Advisory GHSA-x645-6pf9-xwxw, which documents the affected components and the availability of a fix in version 24.10.0, along with a Metasploit module that implements the exploit.

The EPSS score rose sharply from low values to a peak of 0.7331 on 2026-05-09, the day after disclosure, before receding to the current 0.4411; this trajectory indicates that exploitation interest materialized quickly after the advisory was published.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's initRrdDirectory().

CWE(s)

Related Threats

CVEs Like This One

CVE-2026-6204Same product: Librenms Librenms
CVE-2026-26988Same product: Librenms Librenms
CVE-2026-26990Same product: Librenms Librenms
CVE-2020-36947Same product: Librenms Librenms
CVE-2026-2041Same product class: network monitoring / SIEM
CVE-2024-14003Same product class: network monitoring / SIEM
CVE-2025-34227Same product class: network monitoring / SIEM
CVE-2020-36867Same product class: network monitoring / SIEM
CVE-2025-34284Same product class: network monitoring / SIEM
CVE-2026-2043Same product class: network monitoring / SIEM

Affected Assets

librenms
librenms
≤ 24.10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted input before it reaches OS command execution paths in AboutController, SettingsController, and PollDevice.

prevent

Enforces least privilege on the web application and authenticated users so that even successful injection yields minimal host access.

respond

Mandates timely application of the vendor patch that eliminates the command-injection flaws in the three affected PHP methods.

References