CVE-2017-11610

HIGH EXPLOITED IN THE WILD NUCLEI

Supervisor XML-RPC Authenticated Remote Code Execution

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2017-11610 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 5 public exploits from researchers including Metasploit, yaunsky, Dungsocool, including a Metasploit module exploits/linux/http/supervisor_xmlrpc_exec. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits an authenticated XML-RPC vulnerability in Supervisor (CVE-2017-11610) to achieve remote code execution by sending a malicious XML-RPC request to supervisord, which runs arbitrary shell commands as the supervisord user.

Description

The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/42779

This Metasploit module exploits an authenticated XML-RPC vulnerability in Supervisor (CVE-2017-11610) to achieve remote code execution by sending a malicious XML-RPC request to supervisord, which runs arbitrary shell commands as the supervisord user.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Supervisor 3.0a1 to 3.3.2
Auth required
Prerequisites: Authenticated access to the Supervisor XML-RPC endpoint · Supervisor version between 3.0a1 and 3.3.2
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by yaunsky · remote-auth
https://github.com/yaunsky/CVE-2017-11610

This repository contains a Python-based exploit for CVE-2017-11610, a remote command execution vulnerability in Supervisor versions 3.1.2 to 3.3.2. The exploit leverages XML-RPC method calls to execute arbitrary commands via the `supervisor.supervisord.options.warnings.linecache.os.system` method.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Supervisor (3.1.2 to 3.3.2)
Auth required
Prerequisites: Supervisor with XML-RPC interface exposed · Weak or no authentication · Access to port 9001
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Dungsocool · poc
https://github.com/Dungsocool/CVE-2017-11610

This repository contains a functional Python exploit for CVE-2017-11610, which targets a vulnerability in Supervisor's XML-RPC interface. The exploit leverages namespace traversal to access the `os.system` function, allowing arbitrary command execution on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Supervisor (versions before 3.3.3)
No auth needed
Prerequisites: Network access to the Supervisor XML-RPC interface (typically port 9001)
devstral-2 · analyzed May 28, 2026 Full analysis →
nomisec WORKING POC
by ivanitlearning · remote-auth
https://github.com/ivanitlearning/CVE-2017-11610

This is a standalone Python exploit for CVE-2017-11610, targeting Supervisor versions 3.0a1 to 3.3.2. It achieves unauthenticated remote code execution via XML-RPC endpoint manipulation, delivering a reverse shell payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Supervisor 3.0a1 - 3.3.2
No auth needed
Prerequisites: Target running vulnerable Supervisor version · Network access to XML-RPC endpoint (default port 9001)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Calum Hutton <[email protected]> · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/supervisor_xmlrpc_exec.rb

This Metasploit module exploits CVE-2017-11610, an authenticated RCE vulnerability in Supervisor (3.0a1-3.3.2) via malicious XML-RPC requests. It leverages the `supervisor.supervisord.options.warnings.linecache.os.system` method to execute arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Supervisor 3.0a1 to 3.3.2
Auth required
Prerequisites: Authenticated access to Supervisor's XML-RPC endpoint · Network access to port 9001 (default)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

XML-RPC Server - Remote Code Execution
HIGHby notnotnotveg
Shodan: http.title:"Supervisor Status" || http.title:"supervisor status"
FOFA: title="supervisor status"

References (12)

Core 12
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3005
Release Notes, Vendor Advisory x_refsource_confirm
https://github.com/Supervisor/supervisor/blob/3.3.3/CHANGES.txt
Release Notes, Vendor Advisory x_refsource_confirm
https://github.com/Supervisor/supervisor/blob/3.0.1/CHANGES.txt
Release Notes, Vendor Advisory x_refsource_confirm
https://github.com/Supervisor/supervisor/blob/3.2.4/CHANGES.txt
Release Notes, Vendor Advisory x_refsource_confirm
https://github.com/Supervisor/supervisor/blob/3.1.4/CHANGES.txt
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2017/dsa-3942
Issue Tracking, Vendor Advisory x_refsource_confirm
https://github.com/Supervisor/supervisor/issues/964
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42779/
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201709-06

Scores

CVSS v3 8.8
EPSS 0.9424
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-04-08
InTheWild.io 2021-04-08
CWE
CWE-276
Status published
Products (19)
debian/debian_linux 8.0
debian/debian_linux 9.0
fedoraproject/fedora 24
fedoraproject/fedora 25
fedoraproject/fedora 26
pypi/supervisor 0 - 3.0.1PyPI
redhat/cloudforms 4.5
supervisord/supervisor 3.1.0
supervisord/supervisor 3.1.1
supervisord/supervisor 3.1.2
... and 9 more
Published Aug 23, 2017
Tracked Since Feb 18, 2026