CVE-2015-0975

OpenNMS Authenticated XXE

STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-0975. Includes Metasploit module auxiliary/gather/opennms_xxe.

AI-analyzed exploit summary This Metasploit module exploits an authenticated XXE vulnerability in OpenNMS to read arbitrary files from the server. It authenticates as the default 'rtc' user and sends a malicious XML payload to exfiltrate file contents.

Description

OpenNMS is vulnerable to XML External Entity Injection in the Real-Time Console interface. Although this attack requires authentication, there are several factors that increase the severity of this vulnerability. 1. OpenNMS runs with root privileges, taken from the OpenNMS FAQ: "The difficulty with the core of OpenNMS is that these components need to run as root to be able to bind to low-numbered ports or generate network traffic that requires root" 2. The user that you must authenticate as is the "rtc" user which has the default password of "rtc". There is no mention of this user in the installation guides found here: http://www.opennms.org/wiki/Tutorial_Installation, only mention that you should change the default admin password of "admin" for security purposes.

Exploits (1)

metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/opennms_xxe.rb

This Metasploit module exploits an authenticated XXE vulnerability in OpenNMS to read arbitrary files from the server. It authenticates as the default 'rtc' user and sends a malicious XML payload to exfiltrate file contents.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: OpenNMS (version not specified)
Auth required
Prerequisites: OpenNMS with default 'rtc' credentials · Network access to the OpenNMS web interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status draft
Tracked Since Feb 18, 2026