CVE-2020-35476

CRITICAL EXPLOITED NUCLEI

OpenTSDB 2.4.0 unauthenticated command injection

Title source: metasploit

Exploitation Summary

CVE-2020-35476 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including glowbase, Shai rod, Erik Wynter, including a Metasploit module exploits/linux/http/opentsdb_yrange_cmd_injection. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2020-35476, a remote code execution vulnerability in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The exploit uses an SSRF technique to redirect requests and execute arbitrary commands.

Description

A remote code execution vulnerability occurs in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The yrange value is written to a gnuplot file in the /tmp directory. This file is then executed via the mygnuplot.sh shell script. (tsd/GraphHandler.java attempted to prevent command injections by blocking backticks but this is insufficient.)

Exploits (2)

nomisec WORKING POC 2 stars

by glowbase · remote

https://github.com/glowbase/CVE-2020-35476

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-35476, a remote code execution vulnerability in OpenTSDB through 2.4.0 via command injection in the yrange parameter. The exploit uses an SSRF technique to redirect requests and execute arbitrary commands.

Classification

Working Poc 80%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenTSDB version 2.4.0

Auth required

Prerequisites: Network access to the target OpenTSDB instance · Valid database credentials

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Shai rod, Erik Wynter · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/opentsdb_yrange_cmd_injection.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated command injection vulnerability in OpenTSDB through 2.4.0 via the yrange parameter to achieve remote code execution as root. It first checks the target's version and configured metrics/aggregators before injecting the payload.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenTSDB <= 2.4.0

No auth needed

Prerequisites: OpenTSDB instance with at least one configured metric and aggregator

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

OpenTSDB <=2.4.0 - Remote Code Execution

CRITICALVERIFIEDby pikpikcu

Shodan: html:"OpenTSDB" || http.html:"opentsdb"

FOFA: body="opentsdb"

References (2)

Core 2

Core References

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/170331/OpenTSDB-2.4.0-Command-Injection.html

Exploit, Issue Tracking, Third Party Advisory

https://github.com/OpenTSDB/opentsdb/issues/2051

Scores

CVSS v3 9.8

EPSS 0.9425

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2024-01-21

CWE

CWE-78

Status published

Products (2)

net.opentsdb/opentsdb 0Maven

opentsdb/opentsdb < 2.4.0

Published Dec 16, 2020

Tracked Since Feb 18, 2026