CVE-2012-2215

Novell ZENworks Configuration Management 11.1-11.1a - Unauthenticated Path Traversal via Preboot Service Opcode 0x21

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2012-2215. PoCs published by Luigi Auriemma, juan vazquez, Stephen Fewer, juan vazquez, including Metasploit module auxiliary/scanner/misc/zenworks_preboot_fileaccess.

AI-analyzed exploit summary This Metasploit module exploits a directory traversal vulnerability in Novell ZENworks Configuration Management Preboot Service via a crafted PROXY_CMD_FTP_FILE packet. It allows remote file access by sending a specially crafted packet to port 998/TCP.

Description

Directory traversal vulnerability in the Preboot Service in Novell ZENworks Configuration Management (ZCM) 11.1 and 11.1a allows remote attackers to read arbitrary files via an opcode 0x21 request.

Exploits (2)

metasploit WORKING POC
by Luigi Auriemma, juan vazquez · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/misc/zenworks_preboot_fileaccess.rb

This Metasploit module exploits a directory traversal vulnerability in Novell ZENworks Configuration Management Preboot Service via a crafted PROXY_CMD_FTP_FILE packet. It allows remote file access by sending a specially crafted packet to port 998/TCP.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Novell ZENworks Configuration Management 10 SP2 and SP3
No auth needed
Prerequisites: Network access to port 998/TCP · Knowledge of target file path
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Stephen Fewer, juan vazquez · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/novell/zenworks_preboot_op21_bof.rb

This Metasploit module exploits a buffer overflow in Novell ZENworks Configuration Management Preboot Service via opcode 0x21 (PROXY_CMD_FTP_FILE) on port 998/TCP. It uses a ROP chain to bypass DEP and achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Novell ZENworks Configuration Management 10 SP2
No auth needed
Prerequisites: Network access to port 998/TCP · Vulnerable version of Novell ZENworks Configuration Management
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

EPSS 0.2826
EPSS Percentile 97.9%

Details

CWE
CWE-22
Status published
Products (2)
novell/zenworks_configuration_management 11.1
novell/zenworks_configuration_management 11.1a
Published Apr 09, 2012
Tracked Since Feb 18, 2026