CVE-2025-65014 (GCVE-0-2025-65014)
Vulnerability from cvelistv5
Published
2025-11-18 23:01
Modified
2025-11-19 14:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-521 - Weak Password Requirements
Summary
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a weak password policy vulnerability was identified in the user management functionality of the LibreNMS application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as 12345678. This exposes the platform to brute-force and credential stuffing attacks. This issue has been patched in version 25.11.0.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-65014",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T14:53:12.978777Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T14:53:16.804Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-5mrf-j8v6-f45g"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "librenms",
"vendor": "librenms",
"versions": [
{
"status": "affected",
"version": "\u003c 25.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a weak password policy vulnerability was identified in the user management functionality of the LibreNMS application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as 12345678. This exposes the platform to brute-force and credential stuffing attacks. This issue has been patched in version 25.11.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-521",
"description": "CWE-521: Weak Password Requirements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T23:01:40.005Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/librenms/librenms/security/advisories/GHSA-5mrf-j8v6-f45g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-5mrf-j8v6-f45g"
}
],
"source": {
"advisory": "GHSA-5mrf-j8v6-f45g",
"discovery": "UNKNOWN"
},
"title": "LibreNMS has Weak Password Policy"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65014",
"datePublished": "2025-11-18T23:01:40.005Z",
"dateReserved": "2025-11-13T15:36:51.680Z",
"dateUpdated": "2025-11-19T14:53:16.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-65014\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-11-18T23:15:56.313\",\"lastModified\":\"2025-11-20T16:17:59.090\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a weak password policy vulnerability was identified in the user management functionality of the LibreNMS application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as 12345678. This exposes the platform to brute-force and credential stuffing attacks. This issue has been patched in version 25.11.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":3.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-521\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"25.11.0\",\"matchCriteriaId\":\"BB2997C4-F47F-4823-8E14-6FBC84E84C74\"}]}]}],\"references\":[{\"url\":\"https://github.com/librenms/librenms/security/advisories/GHSA-5mrf-j8v6-f45g\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/librenms/librenms/security/advisories/GHSA-5mrf-j8v6-f45g\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"LibreNMS has Weak Password Policy\", \"source\": {\"advisory\": \"GHSA-5mrf-j8v6-f45g\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"librenms\", \"product\": \"librenms\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 25.11.0\"}]}], \"references\": [{\"url\": \"https://github.com/librenms/librenms/security/advisories/GHSA-5mrf-j8v6-f45g\", \"name\": \"https://github.com/librenms/librenms/security/advisories/GHSA-5mrf-j8v6-f45g\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a weak password policy vulnerability was identified in the user management functionality of the LibreNMS application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as 12345678. This exposes the platform to brute-force and credential stuffing attacks. This issue has been patched in version 25.11.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-521\", \"description\": \"CWE-521: Weak Password Requirements\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-11-18T23:01:40.005Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-65014\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-19T14:53:12.978777Z\"}}}], \"references\": [{\"url\": \"https://github.com/librenms/librenms/security/advisories/GHSA-5mrf-j8v6-f45g\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2025-11-19T14:53:08.730Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2025-65014\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-18T23:01:40.005Z\", \"dateReserved\": \"2025-11-13T15:36:51.680Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-11-18T23:01:40.005Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
fkie_cve-2025-65014
Vulnerability from fkie_nvd
Published
2025-11-18 23:15
Modified
2025-11-20 16:17
Severity ?
Summary
LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a weak password policy vulnerability was identified in the user management functionality of the LibreNMS application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as 12345678. This exposes the platform to brute-force and credential stuffing attacks. This issue has been patched in version 25.11.0.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/librenms/librenms/security/advisories/GHSA-5mrf-j8v6-f45g | Exploit, Mitigation, Vendor Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/librenms/librenms/security/advisories/GHSA-5mrf-j8v6-f45g | Exploit, Mitigation, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BB2997C4-F47F-4823-8E14-6FBC84E84C74",
"versionEndExcluding": "25.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring tool. Prior to version 25.11.0, a weak password policy vulnerability was identified in the user management functionality of the LibreNMS application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as 12345678. This exposes the platform to brute-force and credential stuffing attacks. This issue has been patched in version 25.11.0."
}
],
"id": "CVE-2025-65014",
"lastModified": "2025-11-20T16:17:59.090",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-11-18T23:15:56.313",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-5mrf-j8v6-f45g"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-5mrf-j8v6-f45g"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-521"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
ghsa-5mrf-j8v6-f45g
Vulnerability from github
Published
2025-11-18 18:24
Modified
2025-11-19 14:22
Severity ?
VLAI Severity ?
Summary
LibreNMS has Weak Password Policy
Details
Summary
A Weak Password Policy vulnerability was identified in the user management functionality of the LibreNMS application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as 12345678. This exposes the platform to brute-force and credential stuffing attacks.
Details
Vulnerable Component: User creation / password definition
The application fails to enforce a strong password policy when creating new users. As a result, administrators can define trivial and well-known weak passwords, compromising the authentication security of the system.
PoC
-
Log in to the application using an Administrator account.
-
Navigate to the user management section:
-
Create a new user account using the password
12345678.
- The application accepts the weak password without restrictions and creates the account successfully.
Impact
Weak password policy vulnerabilities can have severe consequences, including:
-
Increased risk of brute-force and credential stuffing attacks
-
Unauthorized access to user or administrative accounts
-
Privilege escalation through compromised credentials
-
Degradation of the overall security posture of the platform
Mitigation
-
Enforce a strong password policy (e.g., minimum of 12 characters with uppercase, lowercase, digits, and special characters).
-
Block the use of commonly known weak passwords (e.g.,
12345678,password,admin,qwerty).
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "librenms/librenms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "25.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-65014"
],
"database_specific": {
"cwe_ids": [
"CWE-521"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-18T18:24:26Z",
"nvd_published_at": "2025-11-18T23:15:56Z",
"severity": "LOW"
},
"details": "## Summary\n\nA **Weak Password Policy** vulnerability was identified in the user management functionality of the _LibreNMS_ application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as `12345678`. This exposes the platform to brute-force and credential stuffing attacks.\n\n---\n\n## Details\n\n**Vulnerable Component:** User creation / password definition\n\nThe application fails to enforce a strong password policy when creating new users. As a result, administrators can define trivial and well-known weak passwords, compromising the authentication security of the system.\n\n---\n\n## PoC\n\n1. Log in to the application using an **Administrator** account.\n \n2. Navigate to the user management section: \n \n3. Create a new user account using the password `12345678`.\n \n\n\u003cimg width=\"1103\" height=\"852\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a20d4226-9f86-46ee-a4e6-45be91bb6b7b\" /\u003e\n\n4. The application accepts the weak password without restrictions and creates the account successfully.\n \n\u003cimg width=\"1359\" height=\"487\" alt=\"image\" src=\"https://github.com/user-attachments/assets/9bec15bf-b38f-448b-8f98-acca5724e143\" /\u003e\n\n---\n\n## Impact\n\nWeak password policy vulnerabilities can have severe consequences, including:\n\n- Increased risk of brute-force and credential stuffing attacks\n \n- Unauthorized access to user or administrative accounts\n \n- Privilege escalation through compromised credentials\n \n- Degradation of the overall security posture of the platform\n \n\n---\n\n## Mitigation\n\n- Enforce a strong password policy (e.g., minimum of 12 characters with uppercase, lowercase, digits, and special characters).\n \n- Block the use of commonly known weak passwords (e.g., `12345678`, `password`, `admin`, `qwerty`).",
"id": "GHSA-5mrf-j8v6-f45g",
"modified": "2025-11-19T14:22:58Z",
"published": "2025-11-18T18:24:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/librenms/librenms/security/advisories/GHSA-5mrf-j8v6-f45g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65014"
},
{
"type": "PACKAGE",
"url": "https://github.com/librenms/librenms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "LibreNMS has Weak Password Policy"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…