CVE-2018-20434

Exploitation Summary

EIP tracks 4 public exploits for CVE-2018-20434. PoCs published by Askar, Metasploit, mhaskar, including Metasploit module exploits/linux/http/librenms_addhost_cmd_inject.

AI-analyzed exploit summary This exploit leverages an authenticated RCE vulnerability in LibreNMS v1.46 by injecting a reverse shell payload into the SNMP community field during device creation. The payload is executed when the application processes the SNMP walk request.

Description

LibreNMS 1.46 allows remote attackers to execute arbitrary OS commands by using the $_POST['community'] parameter to html/pages/addhost.inc.php during creation of a new device, and then making a /ajax_output.php?id=capture&format=text&type=snmpwalk&hostname=localhost request that triggers html/includes/output/capture.inc.php command mishandling.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Askar · pythonwebappsphp

https://www.exploit-db.com/exploits/47044

View Code ZIP pw:eip

This exploit leverages an authenticated RCE vulnerability in LibreNMS v1.46 by injecting a reverse shell payload into the SNMP community field during device creation. The payload is executed when the application processes the SNMP walk request.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: LibreNMS v1.46

Auth required

Prerequisites: Valid authentication cookies for LibreNMS · Network connectivity to the target · Netcat listener on attacker's machine

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotelinux

https://www.exploit-db.com/exploits/46970

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in LibreNMS by injecting arbitrary commands via the unsanitized 'community' parameter in the addhost functionality. It authenticates, adds a device with a malicious payload, triggers the payload, and cleans up by deleting the device.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: LibreNMS v1.46

Auth required

Prerequisites: Valid LibreNMS credentials · Network access to the LibreNMS web interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 9 stars

by mhaskar · poc

https://github.com/mhaskar/CVE-2018-20434

View Code ZIP pw:eip

This exploit leverages an authenticated RCE vulnerability in LibreNMS v1.46 by injecting a reverse shell payload into the SNMP community field during device creation. The payload is executed when the application processes the device via an AJAX request.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: LibreNMS v1.46

Auth required

Prerequisites: Valid authenticated session cookies · Network connectivity to target · Listener setup for reverse shell

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by mhaskar, Shelby Pace · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/librenms_addhost_cmd_inject.rb

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in LibreNMS by injecting arbitrary commands via the 'community' parameter in the addhost functionality. It authenticates, adds a device with a malicious payload, triggers the payload execution, and cleans up by deleting the device.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: LibreNMS (versions prior to fix for CVE-2018-20434)

Auth required

Prerequisites: Valid LibreNMS credentials · Network access to the LibreNMS web interface

MITRE ATT&CK