Compliance Impact

The vulnerability allows authenticated attackers to include arbitrary PHP files from the server filesystem via path traversal, potentially leading to information disclosure, privilege escalation, and remote code execution.

Such unauthorized access and potential data exposure could lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

Therefore, exploitation of this vulnerability could result in violations of data protection requirements and increase the risk of regulatory penalties.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-30480 is a Local File Inclusion (LFI) vulnerability found in the NFSen module of LibreNMS, specifically in the file nfsen.inc.php. It occurs because the application directly uses user input from the nfsen parameter in an include() statement without proper sanitization or validation.

The vulnerability allows an authenticated attacker to use path traversal sequences (like ../) in the nfsen parameter to include arbitrary PHP files from the server filesystem. This happens because the only check performed is to verify if the file exists, but it does not prevent traversal outside the intended directory.

For example, an attacker can manipulate the URL parameter to include sensitive or unintended files, potentially leading to information disclosure, privilege escalation, or even remote code execution if the attacker can control the content of the included files.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several serious impacts if exploited by an authenticated attacker:

• Information disclosure by including sensitive PHP files that reveal internal data.
• Privilege escalation, allowing a low-privileged user to access admin-only pages or functions.
• Potential remote code execution if the attacker can control the content of the included files.

Overall, it compromises the confidentiality, integrity, and availability of the affected system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the NFSen module with path traversal payloads in the nfsen parameter while authenticated. For example, by navigating to the Netflow tab in LibreNMS and injecting a payload such as nfsen=..%2f..%2fapi-access in the URL, you can observe if unintended PHP files are included.

Detection involves verifying if the application improperly includes files based on unsanitized input. Monitoring web server logs for requests containing suspicious path traversal sequences like ../ or encoded equivalents (%2f) in the nfsen parameter can also help identify exploitation attempts.

Suggested commands to detect this vulnerability include using curl or wget to send crafted requests with path traversal payloads to the vulnerable endpoint, for example:

• curl -i -b 'auth_cookie=your_auth_cookie' 'http://your-libreNMS-server/device/device_id/nfsen?nfsen=..%2f..%2fapi-access'
• grep -r 'nfsen=' /var/log/apache2/access.log | grep '\.\./' # To find suspicious requests in logs

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include implementing strict validation and sanitization of the nfsen parameter before including any files. Specifically, use a whitelist of allowed page names to ensure only legitimate files are included.

For example, modify the code to check if the requested page is in an allowed list before including it, as shown below:

• Use a whitelist array such as ['general', 'stats', 'channel'] and include files only if the parameter matches one of these.
• Alternatively, use PHP's basename() function to strip path traversal characters from the input before inclusion.

Additionally, restrict access to the vulnerable module to trusted authenticated users only, and monitor for suspicious activity involving path traversal payloads.

Useful 0 Not Useful 0