Volerion logoVolerion
Volerion logoVolerion

Zenoss Core Command Injection Vulnerability in showDaemonXMLConfig Endpoint

Vulnerability

A command injection vulnerability has been identified in Zenoss Core versions 3.x through 4.1.70-1482. The issue arises in the showDaemonXMLConfig endpoint, where the daemon parameter is passed directly to a Popen() call in the ZenossInfo.py file without proper input validation. This flaw allows authenticated users to execute arbitrary commands on the server as the zenoss user.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, under the context of the 'zenoss' user.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the /zport/About/showDaemonXMLConfig endpoint. The request must include the daemon parameter, which can be crafted to execute commands on the server. For example, including 'uname -a&' as the daemon parameter will execute the 'uname -a' command and return the output.

Remediation

Users are advised to update to Zenoss version 4.1.70-1485, where this vulnerability has been patched.

Added: Aug 8, 2025, 8:09 PM
Updated: Aug 8, 2025, 8:54 PM

Vulnerability Rating

Custom Algorithm
spread
1.9
impact
10.0
exploitability
6.6
remediation
7.7
relevance
0.3
threat
7.5
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.