CVE-2025-47931 is a stored Cross-Site Scripting (XSS) vulnerability affecting LibreNMS, a widely used PHP/MySQL/SNMP-based network monitoring software. The vulnerability exists in versions prior to 25.5.0 and specifically targets the 'group name' parameter within the /poller/groups form. Due to improper neutralization of input during web page generation (CWE-79), an attacker can inject malicious JavaScript code that is stored on the server and subsequently executed in the browsers of users who view the affected page. This type of vulnerability can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim user. The vulnerability requires no authentication (AV:N, PR:N) but does require user interaction (UI:P) since the victim must visit the compromised page to trigger the payload. The CVSS 4.0 base score is 2.1 (low severity), reflecting limited impact on confidentiality, integrity, and availability, and the lack of privilege requirements. LibreNMS version 25.5.0 includes a patch that properly sanitizes the group name input to prevent script injection. There are no known exploits in the wild at this time. Given LibreNMS’s role in network monitoring, exploitation could allow attackers to target administrators or users with elevated privileges, potentially facilitating further attacks or information disclosure within monitored networks.

For European organizations, the impact of this vulnerability is primarily on the confidentiality and integrity of user sessions and data accessible through LibreNMS. Since LibreNMS is often deployed in enterprise and service provider environments to monitor critical network infrastructure, successful exploitation could allow attackers to execute malicious scripts in the context of network administrators’ browsers. This could lead to theft of session cookies, unauthorized commands, or redirection to malicious sites, undermining trust in monitoring data and potentially enabling lateral movement within the network. However, the low CVSS score and requirement for user interaction limit the risk to targeted attacks rather than widespread automated exploitation. Organizations relying on LibreNMS for network visibility should consider the potential for attackers to leverage this vulnerability as an initial foothold or to escalate privileges indirectly. The absence of known active exploits reduces immediate risk but does not eliminate the need for prompt remediation.

1. Upgrade LibreNMS to version 25.5.0 or later immediately to apply the official patch that sanitizes the 'group name' parameter input. 2. Implement strict Content Security Policy (CSP) headers on the LibreNMS web interface to restrict the execution of unauthorized scripts. 3. Restrict access to the LibreNMS web interface to trusted networks and users, ideally via VPN or zero-trust network access solutions, to reduce exposure to untrusted actors. 4. Conduct regular security awareness training for administrators and users to recognize suspicious behavior and avoid interacting with untrusted links or inputs. 5. Monitor web server and application logs for unusual input patterns or repeated attempts to inject scripts into the group name parameter. 6. Employ web application firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting LibreNMS. 7. Review and harden user roles and permissions within LibreNMS to minimize the impact of any compromised accounts.