CVE-2024-52010

HIGH

Zoraxy 2.6.1-3.1.3 - Authenticated OS Command Injection via Web SSH Username Parameter

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-52010. PoCs published by iuds, b0ul1.

AI-analyzed exploit summary This script exploits a command injection vulnerability in the Zoraxy web interface by injecting a command into the 'username' parameter of the WebSSH tool. It uses curl to send a crafted POST request and then opens the resulting URL in a browser to trigger the payload.

Description

Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. A command injection vulnerability in the Web SSH feature allows an authenticated attacker to execute arbitrary commands as root on the host. Zoraxy has a Web SSH terminal feature that allows authenticated users to connect to SSH servers from their browsers. In HandleCreateProxySession the request to create an SSH session is handled. An attacker can exploit the username variable to escape from the bash command and inject arbitrary commands into sshCommand. This is possible, because, unlike hostname and port, the username is not validated or sanitized.

Exploits (2)

github WORKING POC

by iuds · shellpoc

https://github.com/iuds/-CVE-2024-52010-

View Code ZIP pw:eip

This script exploits a command injection vulnerability in the Zoraxy web interface by injecting a command into the 'username' parameter of the WebSSH tool. It uses curl to send a crafted POST request and then opens the resulting URL in a browser to trigger the payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Zoraxy (version not specified)

Auth required

Prerequisites: valid CSRF token · authenticated session · access to the target's web interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 13, 2026 Full analysis →

nomisec WORKING POC

by b0ul1 · poc

https://github.com/b0ul1/-CVE-2024-52010-

View Code ZIP pw:eip

This exploit leverages a command injection vulnerability in the 'username' parameter of the WebSSH feature in Zoraxy. It encodes the malicious command, sends it via a crafted POST request, and retrieves a UUID to access the compromised session.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Zoraxy (version not specified)

Auth required

Prerequisites: Valid CSRF token · Authenticated session · Access to the target's WebSSH API

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/tobychui/zoraxy/security/advisories/GHSA-7hpf-g48v-hw3j

Patch x_refsource_misc

https://github.com/tobychui/zoraxy/commit/2e9bc77a5d832bff1093058d42ce7a61382e4bc6

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/tobychui/zoraxy/commit/c07d5f85dfc37bd32819358ed7d4bc32c604e8f0

View Patch ZIP pw:eip

Scores

CVSS v4 8.6

EPSS 0.0090

EPSS Percentile 76.2%

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-78

Status published

Products (2)

tobychui/zoraxy 2.6.1 - 3.1.3Go

tobychui/zoraxy >= 2.6.1, < 3.1.3

Published Nov 12, 2024

Tracked Since Feb 18, 2026