CVE-2019-16278

CRITICAL KEV NUCLEI

nostromo_nhttpd <= 1.9.6 - Remote Code Execution via Directory Traversal in http_verify

Title source: llm

Exploitation Summary

CVE-2019-16278 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 7, 2024. EIP tracks 21 public exploits from researchers including Kr0ff, Metasploit, jas502n, including a Metasploit module exploits/multi/http/nostromo_code_exec. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a path traversal vulnerability in nostromo 1.9.6 to achieve remote code execution by sending a maliciously crafted HTTP POST request. The payload bypasses input validation to execute arbitrary shell commands via the '.%0d' directory traversal technique.

Description

Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request.

Exploits (21)

exploitdb WORKING POC VERIFIED

by Kr0ff · pythonremotemultiple

https://www.exploit-db.com/exploits/47837

View Code ZIP pw:eip

This exploit leverages a path traversal vulnerability in nostromo 1.9.6 to achieve remote code execution by sending a maliciously crafted HTTP POST request. The payload bypasses input validation to execute arbitrary shell commands via the '.%0d' directory traversal technique.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: nostromo 1.9.6

No auth needed

Prerequisites: Network access to the target server · Nostromo server running on port 80 or another specified port

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/47573

View Code ZIP pw:eip

This Metasploit module exploits CVE-2019-16278, a directory traversal vulnerability in Nostromo web server <= 1.9.6, allowing unauthenticated remote command execution via a crafted HTTP POST request targeting the `http_verify` function.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Nostromo nhttpd <= 1.9.6

No auth needed

Prerequisites: Network access to the Nostromo web server · Server running Nostromo <= 1.9.6

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 70 stars

by jas502n · remote

https://github.com/jas502n/CVE-2019-16278

View Code ZIP pw:eip

The repository contains functional exploit scripts for CVE-2019-16278 (RCE via directory traversal) and CVE-2019-16279 (DoS via memory error). The PoC for CVE-2019-16278 sends a crafted HTTP POST request to execute arbitrary commands via `/bin/sh`, while the DoS exploit floods the target with excessive ` ` sequences.

Classification

Working Poc 100%

Attack Type

Rce | Dos

Complexity

Trivial

Reliability

Reliable

Target: Nostromo httpd <= 1.9.6

No auth needed

Prerequisites: Network access to the target server · Nostromo httpd running on the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1499.004 - Application or System Exploitation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 9 stars

by imjdl · remote

https://github.com/imjdl/CVE-2019-16278-PoC

View Code ZIP pw:eip

This repository contains a functional Python-based exploit for CVE-2019-16278, a path traversal vulnerability in Nhttpd that allows remote command execution via crafted HTTP requests. The PoC sends a malformed POST request to execute arbitrary commands on the target system.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Nhttpd (version not specified)

No auth needed

Prerequisites: Network access to the target server · Nhttpd running on the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 8 stars

by AnubisSec · remote

https://github.com/AnubisSec/CVE-2019-16278

View Code ZIP pw:eip

The repository contains a functional Python script that exploits CVE-2019-16278, a path traversal vulnerability in Nostromo web server leading to unauthenticated remote code execution. The exploit sends a crafted HTTP POST request to traverse directories and execute arbitrary commands via `/bin/sh`.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Nostromo web server (nhttpd) <= 1.9.6

No auth needed

Prerequisites: Network access to the target Nostromo web server · Nostromo web server running on a vulnerable version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 6 stars

by aN0mad · remote

https://github.com/aN0mad/CVE-2019-16278-Nostromo_1.9.6-RCE

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2019-16278, which targets a remote code execution vulnerability in Nostromo nhttpd <= 1.9.6. The exploit leverages a path traversal flaw in the HTTP request handling to execute arbitrary commands on the server.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Nostromo nhttpd <= 1.9.6

No auth needed

Prerequisites: Network access to the target server · Nostromo nhttpd <= 1.9.6 running on the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 3 stars

by andknownmaly · remote

https://github.com/andknownmaly/CVE-2019-16278

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2019-16278, a remote code execution vulnerability in Nostromo nhttpd <= 1.9.6. The exploit leverages directory traversal via URL-encoded CRLF characters to execute arbitrary commands via /bin/sh.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Nostromo nhttpd <= 1.9.6

No auth needed

Prerequisites: Network access to target server · Target running vulnerable Nostromo nhttpd

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC 3 stars

by ianxtianxt · remote

https://github.com/ianxtianxt/CVE-2019-16278

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2019-16278, a remote command execution vulnerability in Nostromo httpd (nhttpd) 1.9.6. The exploit crafts a malicious HTTP POST request with a payload that bypasses input validation, allowing arbitrary command execution on the target system.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Nostromo httpd (nhttpd) 1.9.6

No auth needed

Prerequisites: Target running Nostromo httpd 1.9.6 · Network access to the target's HTTP port

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by cancela24 · remote

https://github.com/cancela24/CVE-2019-16278-Nostromo-1.9.6-RCE

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2019-16278, a directory traversal vulnerability in Nostromo Web Server 1.9.6 that allows remote code execution via a crafted HTTP request. The exploit uses pwntools to send a reverse shell payload to the target.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Nostromo Web Server 1.9.6

No auth needed

Prerequisites: Python 3.x · pwntools library · netcat on target system

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by Kr0ff · remote

https://github.com/Kr0ff/cve-2019-16278

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2019-16278, which targets a directory traversal vulnerability in Nostromo (nhttpd) 1.9.6, leading to remote code execution (RCE). The exploit sends a crafted HTTP POST request to traverse directories and execute arbitrary commands via `/bin/sh`.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Nostromo (nhttpd) 1.9.6

No auth needed

Prerequisites: Network access to the target server · Nostromo (nhttpd) 1.9.6 running on the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by darkerego · remote

https://github.com/darkerego/Nostromo_Python3

View Code ZIP pw:eip

This repository contains a functional Python3 exploit for CVE-2019-16278, targeting a path traversal vulnerability in Nostromo web server versions <= 1.9.6. The exploit sends a crafted HTTP POST request to execute arbitrary commands via a traversal sequence (./.%0d./) leading to /bin/sh.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Nostromo web server <= 1.9.6

No auth needed

Prerequisites: Network access to the vulnerable Nostromo web server · Nostromo web server version <= 1.9.6

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

gitlab WORKING POC

by Kr0ff · poc

https://gitlab.com/Kr0ff/cve-2019-16278

View Code ZIP pw:eip

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Nostromo (nhttpd) 1.9.6

No auth needed

Prerequisites: Network access to the target server · Nostromo (nhttpd) 1.9.6 running on the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

nomisec WORKING POC

by h3x0v3rl0rd · poc

https://github.com/h3x0v3rl0rd/CVE-2019-16278

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2019-16278, a remote code execution vulnerability in nostromo 1.9.6. The exploit sends a crafted HTTP POST request with a path traversal payload to execute arbitrary commands on the target system.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: nostromo 1.9.6

No auth needed

Prerequisites: Target must be running nostromo 1.9.6 · Network access to the target system

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by CybermonkX · remote

https://github.com/CybermonkX/CVE-2019-16278_Nostromo-1.9.6---Remote-Code-Execution

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2019-16278, targeting Nostromo 1.9.6. The exploit leverages directory traversal to achieve remote code execution by sending a crafted HTTP POST request.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Nostromo 1.9.6

No auth needed

Prerequisites: Target running Nostromo 1.9.6 · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by FredBrave · remote

https://github.com/FredBrave/CVE-2019-16278-Nostromo-1.9.6-RCE

View Code ZIP pw:eip

The repository contains a functional Python exploit for CVE-2019-16278, targeting Nostromo 1.9.6. The exploit leverages a path traversal vulnerability to achieve remote code execution (RCE) via a crafted HTTP request.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Nostromo 1.9.6

No auth needed

Prerequisites: Network access to the target · Nostromo 1.9.6 running on the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by keshiba · remote

https://github.com/keshiba/cve-2019-16278

View Code ZIP pw:eip

This repository contains a functional Rust-based exploit for CVE-2019-16278, targeting nhttpd v1.9.6. The exploit sends a maliciously crafted HTTP POST request to trigger remote code execution via a path traversal vulnerability.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: nhttpd v1.9.6

No auth needed

Prerequisites: Network access to the target nhttpd server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by alexander-fernandes · remote

https://github.com/alexander-fernandes/CVE-2019-16278

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2019-16278, which leverages a directory traversal vulnerability in Nostromo nhttpd 1.9.6 to achieve unauthenticated remote code execution via a crafted HTTP POST request.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Nostromo nhttpd 1.9.6

No auth needed

Prerequisites: Network access to the target Nostromo web server · Nostromo nhttpd 1.9.6 running on the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by NHPT · remote

https://github.com/NHPT/CVE-2019-16278

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2019-16278, a path traversal vulnerability in Nostromo web server <= 1.9.6 that allows remote command execution via crafted HTTP requests with %0d bypass.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Nostromo web server <= 1.9.6

No auth needed

Prerequisites: Network access to the target Nostromo web server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote

https://github.com/Ghostdust-u/pentest

View Code ZIP pw:eip

The repository contains a functional Python exploit for CVE-2019-16278, a remote command execution vulnerability in the Nostromo web server. The exploit constructs a malicious HTTP POST request to execute arbitrary commands via a path traversal and command injection technique.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Nostromo web server (nhttpd) 1.9.6 and earlier

No auth needed

Prerequisites: Network access to the target server · Nostromo web server running on the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote

https://github.com/n3rdh4x0r/CVE-2019-16278

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2019-16278, a remote code execution vulnerability in Nostromo 1.9.6. The exploit leverages a path traversal flaw in the HTTP request handling to execute arbitrary commands via a crafted POST request.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Nostromo 1.9.6

No auth needed

Prerequisites: Target IP address · Target port · Command to execute

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

metasploit WORKING POC GOOD

rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/nostromo_code_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits a directory traversal vulnerability (CVE-2019-16278) in Nostromo <= 1.9.6 to achieve remote command execution via a crafted HTTP POST request targeting `/bin/sh`. It supports both in-memory Unix payloads and Linux droppers for various architectures.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Nostromo <= 1.9.6

No auth needed

Prerequisites: Network access to the Nostromo web server · Nostromo version <= 1.9.6

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

nostromo 1.9.6 - Remote Code Execution

CRITICALby pikpikcu

References (6)

Core 6

Core References

Release Notes x_refsource_misc

http://www.nazgul.ch/dev/nostromo_cl.txt

Broken Link, Not Applicable x_refsource_misc

https://sp0re.sh

Broken Link, Exploit, Third Party Advisory x_refsource_misc

https://git.sp0re.sh/sp0re/Nhttpd-exploits

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/155045/Nostromo-1.9.6-Directory-Traversal-Remote-Command-Execution.html

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/155802/nostromo-1.9.6-Remote-Code-Execution.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-16278

Scores

CVSS v3 9.8

EPSS 0.9439

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2024-11-07

VulnCheck KEV 2020-05-07

InTheWild.io 2024-11-07

ENISA EUVD EUVD-2019-7077

CWE

CWE-22

Status published

Products (1)

nazgul/nostromo_nhttpd < 1.9.7

Published Oct 14, 2019

KEV Added Nov 07, 2024

Tracked Since Feb 18, 2026