CVE-2024-47533

CRITICAL NUCLEI

Cobbler <3.2.3, <3.3.7 - Auth Bypass

Title source: llm

Exploitation Summary

EIP tracks 5 public exploits for CVE-2024-47533. PoCs published by dollarboysushil, baph00met, zs1n. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a functional exploit for CVE-2024-47533, targeting Cobbler's XMLRPC authentication bypass vulnerability. It leverages the flawed `utils.get_shared_secret()` function to execute arbitrary commands via reverse shell payloads.

Description

Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. `utils.get_shared_secret()` always returns `-1`, which allows anyone to connect to cobbler XML-RPC as user `''` password `-1` and make any changes. This gives anyone with network access to a cobbler server full control of the server. Versions 3.2.3 and 3.3.7 fix the issue.

Exploits (5)

nomisec WORKING POC 5 stars

by dollarboysushil · poc

https://github.com/dollarboysushil/CVE-2024-47533-Cobbler-XMLRPC-Authentication-Bypass-RCE-Exploit-POC

View Code ZIP pw:eip

This is a functional exploit for CVE-2024-47533, targeting Cobbler's XMLRPC authentication bypass vulnerability. It leverages the flawed `utils.get_shared_secret()` function to execute arbitrary commands via reverse shell payloads.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Cobbler versions 3.0.0 to 3.2.3 (exclusive) and 3.3.7 (exclusive)

No auth needed

Prerequisites: Network access to Cobbler's XMLRPC endpoint (typically port 25151) · A listener set up to receive the reverse shell

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by baph00met · poc

https://github.com/baph00met/CVE-2024-47533

View Code ZIP pw:eip

This PoC exploits CVE-2024-47533 in Cobbler by leveraging an authentication bypass and template injection to achieve remote code execution. It creates a malicious kickstart template with embedded Python code that executes arbitrary commands during the rendering process.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Cobbler (version not specified)

No auth needed

Prerequisites: Network access to Cobbler XML-RPC endpoint · Cobbler service running with vulnerable configuration

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by zs1n · poc

https://github.com/zs1n/CVE-2024-47533

View Code ZIP pw:eip

This PoC exploits an authentication bypass in Cobbler's XMLRPC interface (CVE-2024-47533) by leveraging a flawed shared secret function to execute arbitrary commands via the `background_import` method, resulting in remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Cobbler versions 3.0.0 to 3.2.3 (exclusive) and 3.3.7 (exclusive)

No auth needed

Prerequisites: Network access to Cobbler's XMLRPC API (typically port 25151) · Python 3 environment

MITRE ATT&CK

T1189 - Drive-by Compromise T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by okkotsu1 · poc

https://github.com/okkotsu1/CVE-2024-47533

View Code ZIP pw:eip

This exploit leverages an authentication bypass in Cobbler's XML-RPC API (CVE-2024-47533) to execute a reverse shell via a malicious kickstart template. It bypasses authentication by using an empty username and a password of -1, then triggers payload execution through profile rendering.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Cobbler (3.0.0 to 3.2.2, 3.3.0 to 3.3.6)

No auth needed

Prerequisites: Network access to Cobbler XML-RPC endpoint · Attacker-controlled listener for reverse shell

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1189 - Drive-by Compromise T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by 00xCanelo · poc

https://github.com/00xCanelo/CVE-2024-47533-PoC

View Code ZIP pw:eip

This is a functional PoC exploit for CVE-2024-47533, an authentication bypass in Cobbler's XML-RPC interface leading to unauthenticated RCE via command injection in the `background_import` function.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Cobbler (3.0.0 to 3.2.2, 3.3.0 to 3.3.6)

No auth needed

Prerequisites: Network access to Cobbler XML-RPC endpoint · Listener setup for reverse shell

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Cobbler 'XML-RPC' - Authentication Bypass

CRITICALVERIFIEDby songyaeji

Shodan: http.title:"Cobbler Web Interface"

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/cobbler/cobbler/security/advisories/GHSA-m26c-fcgh-cp6h

Patch x_refsource_misc

https://github.com/cobbler/cobbler/commit/32c5cada013dc8daa7320a8eda9932c2814742b0

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/cobbler/cobbler/commit/e19717623c10b29e7466ed4ab23515a94beb2dda

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.7247

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-287

Status published

Products (3)

cobbler/cobbler >= 3.0.0, < 3.2.3

cobbler/cobbler >= 3.3.0, < 3.3.7

pypi/cobbler 3.3.0 - 3.3.7PyPI

Published Nov 18, 2024

Tracked Since Feb 18, 2026