CVE-2017-17562

HIGH KEV NUCLEI

Embedthis GoAhead <3.6.5 - Remote Code Execution

Title source: nuclei

Exploitation Summary

CVE-2017-17562 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 10, 2021. EIP tracks 9 public exploits from researchers including Metasploit, Daniel Hodson, ivanitlearning, including a Metasploit module exploits/linux/http/goahead_ldpreload. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2017-17562, a vulnerability in GoAhead web server that allows arbitrary shared library loading via LD_PRELOAD. It supports multiple architectures and payload types, including reverse and bind shells.

Description

Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked. This is a result of initializing the environment of forked CGI scripts using untrusted HTTP request parameters in the cgiHandler function in cgi.c. When combined with the glibc dynamic linker, this behaviour can be abused for remote code execution using special parameter names such as LD_PRELOAD. An attacker can POST their shared object payload in the body of the request, and reference it using /proc/self/fd/0.

Exploits (9)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/43877

View Code ZIP pw:eip

This Metasploit module exploits CVE-2017-17562, a vulnerability in GoAhead web server that allows arbitrary shared library loading via LD_PRELOAD. It supports multiple architectures and payload types, including reverse and bind shells.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: GoAhead Web Server versions 2.5 to 5.0.0

No auth needed

Prerequisites: CGI module enabled on the target server

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Daniel Hodson · pythonremotelinux

https://www.exploit-db.com/exploits/43360

View Code ZIP pw:eip

This exploit targets CVE-2017-17562, a remote code execution vulnerability in GoAhead httpd versions 2.5 to 3.6.5. It leverages LD_PRELOAD environment variable injection via CGI scripts to execute arbitrary shared objects.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: GoAhead httpd 2.5 to 3.6.5

No auth needed

Prerequisites: CGI scripting enabled on the target server · Access to a CGI script path

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 9 stars

by ivanitlearning · remote

https://github.com/ivanitlearning/CVE-2017-17562

View Code ZIP pw:eip

This is a Python 3 exploit for CVE-2017-17562, targeting GoAhead web server versions 2.5 to 3.6.5. It automates the discovery of vulnerable CGI endpoints and delivers a malicious ELF shared object payload via LD_PRELOAD injection to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: GoAhead web server 2.5 < 3.6.5

No auth needed

Prerequisites: Target running vulnerable GoAhead web server · Network access to the target · Pre-generated malicious ELF shared object payload

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 7 stars

by nu11pointer · remote

https://github.com/nu11pointer/goahead-rce-exploit

View Code ZIP pw:eip

This is a functional exploit for CVE-2017-17562, targeting GoAhead Web Server versions < 3.6.5. It leverages the LD_PRELOAD environment variable injection via CGI scripts to achieve remote code execution by sending a malicious shared object payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: GoAhead Web Server < 3.6.5

No auth needed

Prerequisites: CGI enabled on the target server · A dynamically linked CGI program · Ability to generate a malicious .so payload

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by joaomagfreitas · poc

https://github.com/joaomagfreitas/bash-CVE-2017-17562

View Code ZIP pw:eip

This repository provides a Bash-based PoC for CVE-2017-17562, a vulnerability in GoAhead web server. It uses curl to craft HTTP requests and requires a crafted payload for exploitation.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: GoAhead Web Server

No auth needed

Prerequisites: curl · vulnerable GoAhead web server · crafted payload

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by 1337g · remote

https://github.com/1337g/CVE-2017-17562

View Code ZIP pw:eip

This is a functional exploit for CVE-2017-17562, targeting GoAhead httpd versions 2.5 to 3.6.5. It leverages the LD_PRELOAD environment variable injection vulnerability to achieve remote code execution by sending a malicious shared object payload via a crafted POST request to a CGI script.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: GoAhead httpd 2.5 to 3.6.5

No auth needed

Prerequisites: CGI scripting must be enabled on the target server · Knowledge of a valid CGI script name or ability to brute-force it

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by crispy-peppers · remote

https://github.com/crispy-peppers/Goahead-CVE-2017-17562

View Code ZIP pw:eip

This repository contains a reverse shell PoC for CVE-2017-17562, targeting the Goahead web server. The exploit leverages a constructor function to establish a reverse shell connection to a remote address and port, executing /bin/bash upon connection.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: GoAhead Web Server

No auth needed

Prerequisites: Remote address and port defined (REMOTE_ADDR, REMOTE_PORT) · Compilation of the C code · Execution context on the target system

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1090 - Proxy T1106 - Native API

devstral-2 · analyzed Feb 16, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote

https://github.com/freitzzz/bash-CVE-2017-17562

View Code ZIP pw:eip

This repository provides a Bash-based PoC for CVE-2017-17562, a vulnerability in GoAhead web server. It crafts HTTP requests using curl to exploit the vulnerability and requires a crafted payload to achieve remote code execution.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: GoAhead Web Server

No auth needed

Prerequisites: curl · crafted payload (e.g., payload.so) · list of vulnerable CGI endpoints (optional)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/goahead_ldpreload.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2017-17562 in GoAhead web server by leveraging the LD_PRELOAD vulnerability to load arbitrary shared libraries via CGI scripts. It supports multiple architectures and payload types, including reverse and bind shells.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: GoAhead Web Server versions 2.5 to 5.0.0 with CGI module enabled

No auth needed

Prerequisites: Target must have CGI module enabled · Access to a CGI script path on the GoAhead server

MITRE ATT&CK