CVE-2023-52251

HIGH EXPLOITED NUCLEI

Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.

Title source: metasploit

Exploitation Summary

CVE-2023-52251 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including BobTheShoplifter, including a Metasploit module exploits/linux/http/kafka_ui_unauth_rce_cve_2023_52251. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2023-52251, an RCE vulnerability in provectus/kafka-ui versions 0.4.0-0.7.1. The exploit leverages unsanitized Groovy script execution via the 'q' parameter in the API endpoint, allowing arbitrary command execution.

Description

An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.

Exploits (2)

nomisec WORKING POC 20 stars

by BobTheShoplifter · remote

https://github.com/BobTheShoplifter/CVE-2023-52251-POC

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2023-52251, an RCE vulnerability in provectus/kafka-ui versions 0.4.0-0.7.1. The exploit leverages unsanitized Groovy script execution via the 'q' parameter in the API endpoint, allowing arbitrary command execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: provectus/kafka-ui 0.4.0-0.7.1

No auth needed

Prerequisites: Network access to the vulnerable Kafka UI instance

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/kafka_ui_unauth_rce_cve_2023_52251.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2023-52251, a command injection vulnerability in Kafka UI versions 0.4.0 to 0.7.1. It leverages the Groovy filter parameter to execute arbitrary shell commands via a crafted payload.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Kafka UI v0.4.0 to v0.7.1

No auth needed

Prerequisites: Access to Kafka UI web interface · Target running vulnerable Kafka UI version

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Kafka UI 0.7.1 Command Injection

HIGHVERIFIEDby yhy0,iamnoooob

FOFA: icon_hash="-1477045616"

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://github.com/BobTheShoplifter/CVE-2023-52251-POC

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/177214/Kafka-UI-0.7.1-Command-Injection.html

Scores

CVSS v3 8.8

EPSS 0.9401

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

VulnCheck KEV 2025-12-02

CWE

CWE-94

Status published

Products (1)

provectus/ui 0.4.0 - 0.7.1

Published Jan 25, 2024

Tracked Since Feb 18, 2026