CVE-2009-0545

EXPLOITED NUCLEI

ZeroShell <1.0beta11 - Command Injection

Title source: llm

Exploitation Summary

CVE-2009-0545 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including ikki, Yann CAM, including a Metasploit module exploits/unix/webapp/zeroshell_exec. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages an input validation flaw in ZeroShell's web interface to execute arbitrary commands without authentication. The vulnerability is triggered via a crafted HTTP GET request to the kerbynet CGI script.

Description

cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the type parameter in a NoAuthREQ x509List action.

Exploits (2)

exploitdb WORKING POC VERIFIED

by ikki · textremotehardware

https://www.exploit-db.com/exploits/8023

View Code ZIP pw:eip

This exploit leverages an input validation flaw in ZeroShell's web interface to execute arbitrary commands without authentication. The vulnerability is triggered via a crafted HTTP GET request to the kerbynet CGI script.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: ZeroShell <= 1.0beta11

No auth needed

Prerequisites: Network access to the target's web interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Yann CAM · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/zeroshell_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated local file inclusion vulnerability in ZeroShell to retrieve the admin password, then uses it to authenticate and execute arbitrary commands with root privileges via the RunScript action.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: ZeroShell 2.0 RC2 and lower

No auth needed

Prerequisites: Network access to the ZeroShell instance · The target must be running ZeroShell 2.0 RC2 or lower

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

ZeroShell <= 1.0beta11 Remote Code Execution

CRITICALby geeknik

Shodan: http.title:"zeroshell"

FOFA: title="zeroshell"

References (6)

Core 6

Core References

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/500763/100/0/threaded

Patch, Vendor Advisory x_refsource_misc

http://www.zeroshell.net/eng/announcements/

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/8023

Exploit x_refsource_misc

http://www.ikkisoft.com/stuff/LC-2009-01.txt

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/0385

Patch x_refsource_misc

http://www.zeroshell.net/eng/patch-details/#C100

Scores

EPSS 0.9351

EPSS Percentile 99.8%

Details

VulnCheck KEV 2019-06-13

CWE

CWE-20

Status published

Products (1)

zeroshell/zeroshell 1.0 beta1 (11 CPE variants)

Published Feb 12, 2009

Tracked Since Feb 18, 2026