CVE-2019-12725

CRITICAL EXPLOITED IN THE WILD NUCLEI

ZeroShell 3.9.0 - Unauthenticated Remote Command Execution via HTTP Parameter Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-12725 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 10 public exploits from researchers including Giuseppe Fuggiano, Fellipe Oliveira, sma11new. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated command injection vulnerability in ZeroShell 3.9.0 via the '/cgi-bin/kerbynet' endpoint, leveraging sudo misconfiguration to execute arbitrary commands as root using tar's checkpoint feature.

Description

Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.

Exploits (10)

exploitdb WORKING POC VERIFIED
by Giuseppe Fuggiano · rubywebappslinux
https://www.exploit-db.com/exploits/49096

This Metasploit module exploits an unauthenticated command injection vulnerability in ZeroShell 3.9.0 via the '/cgi-bin/kerbynet' endpoint, leveraging sudo misconfiguration to execute arbitrary commands as root using tar's checkpoint feature.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ZeroShell 3.9.0
No auth needed
Prerequisites: Network access to the target's web interface · Target running ZeroShell 3.9.0
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Fellipe Oliveira · pythonwebappslinux
https://www.exploit-db.com/exploits/49862

This exploit leverages a command injection vulnerability in ZeroShell 3.9.0 via the 'x509type' parameter in the '/cgi-bin/kerbynet' endpoint. It allows remote command execution by injecting commands between newline characters.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ZeroShell < 3.9.0
No auth needed
Prerequisites: Network access to the target · Target running vulnerable ZeroShell version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 173 stars
by sma11new · remote
https://github.com/sma11new/PocList

The repository contains a functional Python exploit for CVE-2021-36749, an arbitrary file read vulnerability in Apache Druid. The exploit sends a crafted JSON payload to the Druid sampler endpoint to read files from the target system.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Apache Druid <=0.21.1
No auth needed
Prerequisites: Network access to the Druid server · Druid server with vulnerable endpoint exposed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WORKING POC 11 stars
by X-C3LL · pythonpoc
https://github.com/X-C3LL/PoC-CVEs/tree/master/CVE-2019-12725

This PoC exploits a command injection vulnerability in ZeroShell 3.9.0 and below by injecting a payload into the 'x509type' parameter via newline characters (%0a), bypassing a previous fix. It demonstrates remote command execution as root by leveraging the 'sudo tar' command with checkpoint actions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ZeroShell 3.9.0 and below
No auth needed
Prerequisites: Network access to the target · Vulnerable ZeroShell instance
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 2 stars
by hev0x · remote
https://github.com/hev0x/CVE-2019-12725-Command-Injection

The repository contains a functional Python exploit for CVE-2019-12725, a remote command execution vulnerability in ZeroShell 3.9.0. The exploit leverages command injection via the 'x509type' parameter in the '/cgi-bin/kerbynet' endpoint, allowing unauthenticated attackers to execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ZeroShell 3.9.0
No auth needed
Prerequisites: Network access to the target ZeroShell instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by YZS17 · remote
https://github.com/YZS17/CVE-2019-12725

This Python script exploits a command injection vulnerability in Zyxel NAS devices by injecting commands into the 'x509type' parameter of the '/cgi-bin/kerbynet' endpoint. It allows remote command execution via a crafted HTTP GET request.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Zyxel NAS devices (specific version not specified)
No auth needed
Prerequisites: Network access to the target device · Vulnerable Zyxel NAS device with exposed CGI endpoint
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by givemefivw · remote
https://github.com/givemefivw/CVE-2019-12725

This repository contains a functional exploit for CVE-2019-12725, a remote command execution vulnerability in ZeroShell. The exploit leverages a command injection flaw in the 'kerbynet' CGI script via the 'x509type' parameter, using 'sudo tar' with checkpoint actions to execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ZeroShell (version not specified)
No auth needed
Prerequisites: Network access to the target ZeroShell instance · CGI script 'kerbynet' must be accessible
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by t0mmy4 · poc
https://github.com/t0mmy4/CVE-2019-12725-modified-exp

This repository contains a functional exploit for CVE-2019-12725, a remote command execution vulnerability in ZeroShell 3.9.0. The exploit leverages a command injection flaw in the `/cgi-bin/kerbynet` endpoint by manipulating the `x509type` parameter to execute arbitrary commands with elevated privileges.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ZeroShell 3.9.0
No auth needed
Prerequisites: Network access to the target ZeroShell instance · Target must be running ZeroShell 3.9.0
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by gougou123-hash · remote
https://github.com/gougou123-hash/CVE-2019-12725

The repository contains a functional Python script that exploits CVE-2019-12725, a command injection vulnerability in ZeroShell. The exploit sends crafted HTTP requests to execute arbitrary commands via the 'x509type' parameter in the '/cgi-bin/kerbynet' endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ZeroShell (version not specified)
No auth needed
Prerequisites: Network access to the target ZeroShell instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/nowindows9/CVE-2019-12725-modified-exp

This repository contains a functional exploit for CVE-2019-12725, a remote command execution vulnerability in ZeroShell 3.9.0. The exploit leverages a command injection flaw in the 'x509type' parameter of the '/cgi-bin/kerbynet' endpoint to execute arbitrary commands with elevated privileges.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ZeroShell 3.9.0
No auth needed
Prerequisites: Network access to the target · Target running ZeroShell 3.9.0
devstral-2 · analyzed Feb 25, 2026 Full analysis →

Nuclei Templates (1)

Zeroshell 3.9.0 - Remote Command Execution
CRITICALby dwisiswant0,akincibor
Shodan: http.title:"zeroshell"
FOFA: title="zeroshell"

References (4)

Core 4
Core References
Vendor Advisory x_refsource_misc
https://zeroshell.org/blog/
Exploit, Third Party Advisory x_refsource_misc
https://www.tarlogic.com/advisories/zeroshell-rce-root.txt

Scores

CVSS v3 9.8
EPSS 0.9414
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-06-03
InTheWild.io 2021-09-30
CWE
CWE-78
Status published
Products (1)
zeroshell/zeroshell 3.9.0
Published Jul 19, 2019
Tracked Since Feb 18, 2026