cbcvebase.
CVE-2009-0545
published 2009-02-12

CVE-2009-0545: cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the type parameter in a…

PriorityP180critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
90.73%
99.8th percentile
cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the type parameter in a NoAuthREQ x509List action.

Affected

1 ranges
VendorProductVersion rangeFixed in
zeroshellzeroshell

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/kerbynet
path/root/kerbynet.cgi/scripts/getkey
path/var/register/system/ldap/rootpw
  • Look for unauthenticated GET requests to /cgi-bin/kerbynet with query parameters Section=NoAuthREQ, Action=x509List, and shell metacharacters (semicolons, quotes) in the 'type' parameter — this is the exploitation pattern for CVE-2009-0545.
  • Successful exploitation may result in /etc/passwd content (matching root:.*:0:0:) appearing in the HTTP response body — use this as a confirmation matcher.
  • The Metasploit module targets the RunScript action post-authentication to execute payloads with root privileges after retrieving the cleartext admin password from /var/register/system/ldap/rootpw via LFI.
  • Use Shodan query 'http.title:"zeroshell"', FOFA query 'title="zeroshell"', or Google dork 'intitle:"zeroshell"' to identify exposed ZeroShell instances for proactive scanning.
  • ·The Metasploit module targets ZeroShell 2.0 RC2 and lower, which is a broader scope than the NVD entry (1.0beta11 and earlier) — ensure version targeting is correct for the specific engagement.
  • ·The admin password stored in /var/register/system/ldap/rootpw is in cleartext and is retrievable via the unauthenticated LFI before the RCE stage — defenders should monitor access to this file path.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.