CVE-2009-4502

Zabbix Agent <1.6.7 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2009-4502. PoCs published by Metasploit, Nicob, hdm, including Metasploit module exploits/unix/misc/zabbix_agent_exec.

AI-analyzed exploit summary This Metasploit module exploits a metacharacter injection vulnerability in Zabbix Agent's net.tcp.listen command on FreeBSD and Solaris systems. It sends a maliciously crafted request to execute arbitrary commands if the attacker's IP is in the allowed server list.

Description

The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, when running on FreeBSD or Solaris, allows remote attackers to bypass the EnableRemoteCommands setting and execute arbitrary commands via shell metacharacters in the argument to net.tcp.listen. NOTE: this attack is limited to attacks from trusted IP addresses.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotefreebsd
https://www.exploit-db.com/exploits/16918

This Metasploit module exploits a metacharacter injection vulnerability in Zabbix Agent's net.tcp.listen command on FreeBSD and Solaris systems. It sends a maliciously crafted request to execute arbitrary commands if the attacker's IP is in the allowed server list.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Zabbix Agent (FreeBSD/Solaris versions)
No auth needed
Prerequisites: Attacker's IP must be in the Zabbix Agent's allowed server list
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Nicob · textwebappsmultiple
https://www.exploit-db.com/exploits/10431

This exploit bypasses the EnableRemoteCommands=0 restriction in Zabbix Agent on FreeBSD and Solaris by injecting arbitrary commands via the net.tcp.listen parameter. The vulnerability arises from improper input validation in the NET_TCP_LISTEN function.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zabbix Agent < 1.6.7 (FreeBSD and Solaris only)
No auth needed
Prerequisites: network access to Zabbix Agent port (10050) · attacker must come from or spoof a trusted IP address
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by hdm · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/misc/zabbix_agent_exec.rb

This Metasploit module exploits a metacharacter injection vulnerability in Zabbix Agent's net.tcp.listen command on FreeBSD and Solaris systems. It sends a maliciously crafted payload to execute arbitrary commands if the attacker's IP is in the allowed server list.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zabbix Agent (FreeBSD/Solaris versions)
No auth needed
Prerequisites: Attacker's IP must be in the Zabbix Agent's allowed server list
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/508439
Exploit x_refsource_confirm
https://support.zabbix.com/browse/ZBX-1032
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37740
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/3514

Scores

EPSS 0.2157
EPSS Percentile 97.3%

Details

CWE
CWE-264
Status published
Products (9)
zabbix/zabbix 1.1.2
zabbix/zabbix 1.1.3
zabbix/zabbix 1.1.4
zabbix/zabbix 1.1.5
zabbix/zabbix 1.4.2
zabbix/zabbix 1.4.3
zabbix/zabbix 1.4.4
zabbix/zabbix 1.4.6
zabbix/zabbix < 1.6.6
Published Dec 31, 2009
Tracked Since Feb 18, 2026