Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2009-4498OS Command Injection in Zabbix

CWE-78OS Command Injection7 documents6 sources
Severity
6.8MEDIUMNVD
EPSS
71.8%
top 1.26%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
ZabbixDebian Zabbix
Timeline
PublishedDec 31
Latest updateMay 2

Description

The node_process_command function in Zabbix Server before 1.8 allows remote attackers to execute arbitrary commands via a crafted request.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages3 packages

debiandebian/zabbix< zabbix 1:1.8-1 (bookworm)
Debianzabbix/zabbix< 1:1.8-1+3
NVDzabbix/zabbix1.7.4+13

🔴Vulnerability Details

2
GHSA
GHSA-jfgr-r9xc-vhc8: The node_process_command function in Zabbix Server before 12022-05-02
OSV
CVE-2009-4498: The node_process_command function in Zabbix Server before 12009-12-31

💥Exploits & PoCs

3
Exploit-DB
Zabbix Server - Arbitrary Command Execution (Metasploit)2012-08-27
Exploit-DB
Zabbix Server - Multiple Vulnerabilities2009-12-14
Metasploit
Zabbix Server Arbitrary Command Execution

📋Vendor Advisories

1
Debian
CVE-2009-4498: zabbix - The node_process_command function in Zabbix Server before 1.8 allows remote atta...2009