CVE-2025-65014
LOW3.7EPSS 0.00%LibreNMS has Weak Password Policy
描述
## Summary A **Weak Password Policy** vulnerability was identified in the user management functionality of the _LibreNMS_ application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as `12345678`. This exposes the platform to brute-force and credential stuffing attacks. --- ## Details **Vulnerable Component:** User creation / password definition The application fails to enforce a strong password policy when creating new users. As a result, administrators can define trivial and well-known weak passwords, compromising the authentication security of the system. --- ## PoC 1. Log in to the application using an **Administrator** account. 2. Navigate to the user management section: 3. Create a new user account using the password `12345678`. <img width="1103" height="852" alt="image" src="https://github.com/user-attachments/assets/a20d4226-9f86-46ee-a4e6-45be91bb6b7b" /> 4. The application accepts the weak password without restrictions and creates the account successfully. <img width="1359" height="487" alt="image" src="https://github.com/user-attachments/assets/9bec15bf-b38f-448b-8f98-acca5724e143" /> --- ## Impact Weak password policy vulnerabilities can have severe consequences, including: - Increased risk of brute-force and credential stuffing attacks - Unauthorized access to user or administrative accounts - Privilege escalation through compromised credentials - Degradation of the overall security posture of the platform --- ## Mitigation - Enforce a strong password policy (e.g., minimum of 12 characters with uppercase, lowercase, digits, and special characters). - Block the use of commonly known weak passwords (e.g., `12345678`, `password`, `admin`, `qwerty`).
受影響套件(1)
- Packagist/librenms/librenmsfrom 0, < 25.11.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |