CVE-2012-10039

ZEN Load Balancer <3.0-rc1 - Command Injection

Title source: llm

Description

ZEN Load Balancer versions 2.0 and 3.0-rc1 contain a command injection vulnerability in content2-2.cgi. The filelog parameter is passed directly into a backtick-delimited exec() call without sanitation. An authenticated attacker can inject arbitrary shell commands, resulting in remote code execution as the root user. ZEN Load Balancer is the predecessor of ZEVENET and SKUDONET. The affected versions (2.0 and 3.0-rc1) are no longer supported. SKUDONET CE is the current community-maintained successor.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremoteunix

https://www.exploit-db.com/exploits/21849

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by bcoles · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/zen_load_balancer_exec.rb

View Code ZIP pw:eip

References (5)

[Various Sources] https://web.archive.org/web/20221203195056/https://itsecuritysolutions.org/2012-09-21-ZEN-Load-Balancer-v2.0-and-v3.0-rc1-multiple-vulnerabilities/

[Various Sources] https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/zen_load_balancer_exec.rb

[Various Sources] https://web.archive.org/web/20111015031540/http://www.zenloadbalancer.com/

[Vendor Advisory] https://www.fortiguard.com/encyclopedia/ips/33335/zen-load-balancer-filelog-command-execution

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/21849

Scores

EPSS 0.4363

EPSS Percentile 97.5%

Classification

CWE

CWE-78

Status draft

Timeline

Published Aug 11, 2025

Tracked Since Feb 18, 2026