CVE-2017-6970

HIGH

AlienVault USM/OSSIM <5.3.7/NfSen <1.3.8 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-6970. PoCs published by Paul Taylor.

AI-analyzed exploit summary This exploit leverages a UNIX domain socket to inject shell commands into NfSen's Perl components, achieving local privilege escalation from the web user (www-data) to root. The PoC uses a crafted payload to create a setuid root bash binary in /tmp.

Description

AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 allow local users to execute arbitrary commands in a privileged context via an NfSen socket, aka AlienVault ID ENG-104863.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Paul Taylor · textlocallinux
https://www.exploit-db.com/exploits/42305

This exploit leverages a UNIX domain socket to inject shell commands into NfSen's Perl components, achieving local privilege escalation from the web user (www-data) to root. The PoC uses a crafted payload to create a setuid root bash binary in /tmp.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: NfSen <= 1.3.7, AlienVault USM/OSSIM <= 5.3.6
No auth needed
Prerequisites: Access to the target system as the web user (www-data)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Various Sources x_refsource_confirm
https://www.alienvault.com/forums/discussion/8325/
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42305/
Various Sources x_refsource_confirm
https://www.alienvault.com/forums/discussion/8698

Scores

CVSS v3 8.4
EPSS 0.0168
EPSS Percentile 73.9%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (3)
alienvault/ossim < 5.3.6
alienvault/unified_security_management < 5.3.6
nfsen/nfsen < 1.3.7
Published Mar 22, 2017
Tracked Since Feb 18, 2026