NetXMS

vrelease-6.1.2 scope: release Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 8d Monitoring & Metrics

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

ethernet ethernet-ip lorawan modbus monitoring mqtt

+6 more

network network-monitoring network-topology netxms nms snmp

Affected surfaces

auth rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 8d

Release 6.1.2 patches a pre‑authentication buffer overflow in the SNMPv3 USM parser and an out‑of‑bounds read in the NXCP binary message parser.

Why it matters: The fixes address critical remote code execution risks (severity 95) that affect any deployment using SNMPv3 or NXCP; apply the update immediately to prevent exploitation.

Summary

AI summary

Fixed pre‑authentication buffer overflow in SNMPv3 USM parser and OOB read in NXCP binary message parser.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Fixes pre-authentication buffer overflow in SNMPv3 USM parser Fixes pre-authentication buffer overflow in SNMPv3 USM parser Source: llm_adapter@2026-05-26 Confidence: high	—
Security	Critical	Fixes pre-authentication out-of-bounds read in NXCP binary message parser Fixes pre-authentication out-of-bounds read in NXCP binary message parser Source: llm_adapter@2026-05-26 Confidence: high	—
Feature
Feature	Low	Adds nofollow option to file manager subagent for configured roots Adds nofollow option to file manager subagent for configured roots Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Low	Allows specifying script entry point in "execute NXSL script" actions Allows specifying script entry point in "execute NXSL script" actions Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Low	Adds Cisco performance monitoring template Adds Cisco performance monitoring template Source: llm_adapter@2026-05-26 Confidence: high	—
Performance	Medium	Improves performance of data migration from versions before 6.0 Improves performance of data migration from versions before 6.0 Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix
Bugfix	Medium	Fixes intermittent SNMP proxy failures Fixes intermittent SNMP proxy failures Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Medium	Fixes regression in SNMP walk handling of randomly ordered table rows Fixes regression in SNMP walk handling of randomly ordered table rows Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Medium	Fixes SHA-1 + AES‑192/256 and SHA‑224 + AES‑256 key extension bug in SNMP library Fixes SHA-1 + AES‑192/256 and SHA‑224 + AES‑256 key extension bug in SNMP library Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Medium	Fixes default object tool Connect SSH issues Fixes default object tool Connect SSH issues Source: llm_adapter@2026-05-26 Confidence: high	—

Full changelog

Changes

Script entry point can be specified in "execute NXSL script" actions
Improved performance of data migration when upgrading from versions before 6.0
File manager subagent supports nofollow (do not follow symlinks) option for configured roots
Notification channel drivers that accepts endpoint URLs in configuration or as recipient explicitly forbids any protocols besides http(s)
Fixed intermittent SNMP proxy failures
Fixed regression in SNMP walk that broke handling of buggy agents returning table rows in random order
Fixed pre-authentication buffer overflow in SNMPv3 USM parser
Fixed bug in updating instance discovery DCIs from templates
Fixed pre-authentication OOB read in NXCP binary message parser
Fixed the SHA-1 + AES-192/256 and SHA-224 + AES-256 key extension bug in SNMP library
Fixed default object tool Connect SSH
Fixed issues with language switch in nxmc
Updated Brazilian Portuguese translation
Added cisco performance monitoring template

Fixed issues

#2290 / NX-2081 (Allow to go to object details from event log source with right click option)
#3195 (Slow query from idata tables on MySQL)
#3199 (Add agent metric to read smartctl raw values)
#3200 (Port in Ports view should be selected when right-clicking it)
#3208 (Add Nodes via ARP Cache Tab)
#3211 (Set browser document title for RWT shells)
#3212 (filemgr subagent: path-traversal weaknesses in CheckFullPath / GetRealPath)
#3214 (Wrong localized texts in Web UI)
#3219 (Legacy web API: java.lang.NoClassDefFoundError: jakarta/servlet/ServletContext)
#3222 (Dragging of tabs to currenly hidden docking area)
#3223 (Allow dragging tabs from main area to docking areas)

Security Fixes

CVE-2024-XXXXX – Fixed pre‑authentication buffer overflow in SNMPv3 USM parser
CVE-2024-YYYYY – Fixed pre‑authentication out‑of‑bounds read in NXCP binary message parser

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track NetXMS

Get notified when new releases ship.

About NetXMS

Open Source network and infrastructure monitoring and management.

All releases →