CVE-2016-2056

HIGH

Xymon 4.1.x-4.3.x - Authenticated Command Injection via adduser_name Argument

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-2056. PoCs published by Metasploit, Markus Krell, bcoles, including Metasploit module exploits/unix/webapp/xymon_useradm_cmd_exec.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in Xymon's useradm.sh script, allowing authenticated users to execute arbitrary commands via improperly sanitized input passed to the htpasswd command.

Description

xymond in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the adduser_name argument in (1) web/useradm.c or (2) web/chpasswd.c.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/47114

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in Xymon's useradm.sh script, allowing authenticated users to execute arbitrary commands via improperly sanitized input passed to the htpasswd command.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Xymon versions before 4.3.25

Auth required

Prerequisites: Valid Xymon credentials · Access to the Xymon web interface

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Markus Krell, bcoles · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/xymon_useradm_cmd_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in Xymon's useradm.sh script, allowing authenticated users to execute arbitrary commands as the web server user. The exploit leverages improper input validation in the username field during user creation.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Xymon versions before 4.3.25

Auth required

Prerequisites: Valid Xymon credentials · Access to the Xymon web interface

MITRE ATT&CK

T1202 - Indirect Command Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/537522/100/0/threaded

Patch x_refsource_confirm

https://sourceforge.net/p/xymon/code/7892/

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2016/dsa-3495

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/135758/Xymon-4.3.x-Buffer-Overflow-Code-Execution-Information-Disclosure.html

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/153620/Xymon-useradm-Command-Execution.html

Scores

CVSS v3 8.8

EPSS 0.5635

EPSS Percentile 98.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-77

Status published

Products (33)

debian/debian_linux 8.0

xymon/xymon 4.1.0

xymon/xymon 4.1.1

xymon/xymon 4.1.2 (3 CPE variants)

xymon/xymon 4.2 alfa (3 CPE variants)

xymon/xymon 4.2.0

xymon/xymon 4.2.2 (2 CPE variants)

xymon/xymon 4.2.3 (2 CPE variants)

xymon/xymon 4.3.0 (5 CPE variants)

xymon/xymon 4.3.1

... and 23 more

Published Apr 13, 2016

Tracked Since Feb 18, 2026