Metasploit Exploits
3,221 exploits tracked across all sources.
HP PageWide/OfficeJet Pro <1708D - RCE
A potential security vulnerability has been identified with HP PageWide Printers, HP OfficeJet Pro Printers, with firmware before 1708D. This vulnerability could potentially be exploited to execute arbitrary code.
by Jacob Baines
CVSS 9.8
HP Data Protector - Improper Input Validation
The client in HP Data Protector does not properly validate EXEC_CMD arguments, which allows remote attackers to execute arbitrary Perl code via a crafted command, related to the "local bin directory."
by ch0ks, c4an, wireghoul, Javier Ignacio
HP Network Node Manager i <9.2x - RCE
Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-2264.
by d(-_-)b, juan vazquez
Rocket Software UniData <8.2.4-11.3.5-12.2.1 - Auth Bypass
Rocket Software UniData versions prior to 8.2.4 build 3003 and UniVerse versions prior to 11.3.5 build 1001 or 12.2.1 build 2002 suffer from an authentication bypass vulnerability, where a special username with a deterministic password can be leveraged to bypass authentication checks and execute OS commands as the root user.
by Ron Bowes
CVSS 9.8
TP-Link Archer A7 Firmware <190726 - RCE
This vulnerability allows network-adjacent attackers execute arbitrary code on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tdpServer service, which listens on UDP port 20002 by default. This issue results from the use of hard-coded encryption key. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-9652.
CVSS 8.8
Microsoft OMI Management Interface Authentication Bypass
Open Management Infrastructure Remote Code Execution Vulnerability
by Nir Ohfeld, Shir Tamari, Spencer McIntyre, wvu
CVSS 9.8
HP LeftHand Virtual SAN Appliance <10.0 - RCE
Unspecified vulnerability on the HP LeftHand Virtual SAN Appliance hydra with software before 10.0 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1510.
by e6af8de8b1d4b2b6d5ba2610cbf9cd38, juan vazquez
Borland Software Interbase - Memory Corruption
Multiple stack-based buffer overflows in Borland InterBase LI 8.0.0.53 through 8.1.0.253, and WI 5.1.1.680 through 8.1.0.257, allow remote attackers to execute arbitrary code via (1) a long service attach request on TCP port 3050 to the (a) SVC_attach or (b) INET_connect function, (2) a long create request on TCP port 3050 to the (c) isc_create_database or (d) jrd8_create_database function, (3) a long attach request on TCP port 3050 to the (e) isc_attach_database or (f) PWD_db_aliased function, or unspecified vectors involving the (4) jrd8_attach_database or (5) expand_filename2 function.
by Ramon de C Valle
LPRng 3.6.24 - RCE
Format string vulnerability in use_syslog() function in LPRng 3.6.24 allows remote attackers to execute arbitrary commands.
by jduck
Quest Privilege Manager For Unix < 6.0.0-50 - Memory Corruption
Buffer Overflow in Quest One Identity Privilege Manager for Unix before 6.0.0.061 allows remote attackers to obtain full access to the policy server via an ACT_ALERT_EVENT request that causes memory corruption in the pmmasterd daemon.
by m0t
CVSS 9.8
Apache Storm <2.2.1, <1.2.4 - Command Injection
A Command Injection vulnerability exists in the getTopologyHistory service of the Apache Storm 2.x prior to 2.2.1 and Apache Storm 1.x prior to 1.2.4. A specially crafted thrift request to the Nimbus server allows Remote Code Execution (RCE) prior to authentication.
by Alvaro Muñoz, Spencer McIntyre
CVSS 9.8
Jenkins <2.32-2.19.3 - RCE
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a crafted serialized Java object, which triggers an LDAP query to a third-party server.
by Matthias Kaiser, Alisa Esage, Ivan, YSOSerial
CVSS 9.8
Zyxel ZyWALL/USG <4.73 - RCE
Improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35, which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.
by sf
CVSS 9.8
Opensuse < 2.13 - Improper Input Validation
Incomplete blacklist vulnerability in nrpc.c in Nagios Remote Plug-In Executor (NRPE) before 2.14 might allow remote attackers to execute arbitrary shell commands via "$()" shell metacharacters, which are processed by bash.
by Rudolph Pereir
Rocket Software UniData <8.2.4-11.3.5-12.2.1 - RCE
Rocket Software UniData versions prior to 8.2.4 build 3003 and UniVerse versions prior to 11.3.5 build 1001 or 12.2.1 build 2002 suffer from a stack-based buffer overflow in the "udadmin" service that can lead to remote code execution as the root user.
by Ron Bowes
CVSS 9.8
Qnap Qts < 4.2.6 - Remote Code Execution
QNAP has patched a remote code execution vulnerability affecting the QTS Media Library in all versions prior to QTS 4.2.6 build 20170905 and QTS 4.3.3.0299 build 20170901. This particular vulnerability allows a remote attacker to execute commands on a QNAP NAS using a transcoding service on port 9251. A remote user does not require any privileges to successfully execute an attack.
by Zenofex, 0x00string, bcoles
CVSS 9.8
Jenkins CLI RMI Java Deserialization Vulnerability
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".
CVSS 9.8
Cisco IOX XE Unauthenticated RCE Chain
Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software. We are updating the list of fixed releases and adding the Software Checker. Our investigation has determined that the actors exploited two previously unknown issues. The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access. The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue. CVE-2023-20198 has been assigned a CVSS Score of 10.0. CVE-2023-20273 has been assigned a CVSS Score of 7.2. Both of these CVEs are being tracked by CSCwh87343.
by sfewer-r7
CVSS 10.0
IGEL OS <11.04.270 - Command Injection
A command injection vulnerability exists in IGEL OS versions prior to 11.04.270 within the Secure Terminal and Secure Shadow services. The flaw arises due to improper input sanitization in the handling of specially crafted PROXYCMD commands on TCP ports 30022 and 5900. An unauthenticated attacker with network access to a vulnerable device can inject arbitrary commands, leading to remote code execution with elevated privileges.
NOTE: IGEL OS v10.x has reached end-of-life (EOL) status.
by Rob Vinson, James Brytan, James Smith, Marisa Mack, Sergey Pashevkin, Steven Laura
HP Linux Imaging And Printing Project - Improper Input Validation
hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip) 1.x and 2.x before 2.7.10 allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a from address, which is not properly handled when invoking sendmail.
by jduck
Cisco Rvs4000 Firmware < 2.0.3.2 - OS Command Injection
The Cisco WAP4410N access point with firmware through 2.0.6.1, WRVS4400N router with firmware 1.x through 1.1.13 and 2.x through 2.0.2.1, and RVS4000 router with firmware through 2.0.3.2 allow remote attackers to read credential and configuration data, and execute arbitrary commands, via requests to the test interface on TCP port 32764, aka Bug IDs CSCum37566, CSCum43693, CSCum43700, and CSCum43685.
Salt < 2019.2.4 - Path Traversal
An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class allows access to some methods that improperly sanitize paths. These methods allow arbitrary directory access to authenticated users.
by F-Secure, wvu
CVSS 6.5
Zabbix Server <1.8 - Command Injection
The node_process_command function in Zabbix Server before 1.8 allows remote attackers to execute arbitrary commands via a crafted request.
Unitrends UEB bpserverd authentication bypass RCE
It was discovered that the bpserverd proprietary protocol in Unitrends Backup (UB) before 10.0.0, as invoked through xinetd, has an issue in which its authentication can be bypassed. A remote attacker could use this issue to execute arbitrary commands with root privilege on the target system.
by Jared Arave, Cale Smith, Benny Husted
CVSS 9.8
Netsupport Manager Agent - Memory Corruption
Stack-based buffer overflow in NetSupport Manager Agent for Linux 11.00, for Solaris 9.50, and for Mac OS X 11.00 allows remote attackers to execute arbitrary code via a long control hostname to TCP port 5405, probably a different vulnerability than CVE-2007-5252.
by Luca Carettoni (@_ikki), Evan, jduck
By Source