CVE-2012-10048

HIGH

Zenoss Core 3.x - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2012-10048. PoCs published by Metasploit, Brendan Coles, bcoles, including Metasploit module exploits/linux/http/zenoss_showdaemonxmlconfig_exec.

AI-analyzed exploit summary This Metasploit module exploits a command execution vulnerability in Zenoss 3.x by leveraging the 'showDaemonXMLConfig' endpoint, which passes user-controlled input from the 'daemon' parameter to a Popen() call. It requires authentication and executes arbitrary commands under the context of the 'zenoss' user.

Description

Zenoss Core 3.x contains a command injection vulnerability in the showDaemonXMLConfig endpoint. The daemon parameter is passed directly to a Popen() call in ZenossInfo.py without proper sanitation, allowing authenticated users to execute arbitrary commands on the server as the zenoss user.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremoteunix
https://www.exploit-db.com/exploits/20205

This Metasploit module exploits a command execution vulnerability in Zenoss 3.x by leveraging the 'showDaemonXMLConfig' endpoint, which passes user-controlled input from the 'daemon' parameter to a Popen() call. It requires authentication and executes arbitrary commands under the context of the 'zenoss' user.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zenoss 3.x
Auth required
Prerequisites: Valid Zenoss credentials · Network access to the Zenoss web interface
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Brendan Coles · textwebappsmultiple
https://www.exploit-db.com/exploits/37571

This exploit demonstrates multiple vulnerabilities in Zenoss 3.2.1 and prior, including command execution, XSS, open redirect, directory traversal, and information disclosure. The PoC provides URLs to exploit these issues without requiring authentication.

Classification
Working Poc 90%
Attack Type
Rce | Xss | Info Leak | Auth Bypass | Other
Complexity
Trivial
Reliability
Reliable
Target: Zenoss 3.2.1 and prior
No auth needed
Prerequisites: Network access to the target Zenoss instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by bcoles · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb

This Metasploit module exploits a command execution vulnerability in Zenoss 3.x by leveraging the show_daemon_xml_configs() function in ZenossInfo.py, which calls Popen() with user-controlled data from the 'daemon' parameter. It sends a crafted POST request to execute arbitrary commands under the context of the 'zenoss' user.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zenoss 3.x
Auth required
Prerequisites: Valid Zenoss credentials · Network access to the Zenoss web interface
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v4 8.7
EPSS 0.7195
EPSS Percentile 98.8%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-22
Status published
Products (2)
Zenoss, Inc./Zenoss Core 3.0
Zenoss, Inc./Zenoss Core 3.x
Published Aug 08, 2025
Tracked Since Feb 18, 2026