cbcvebase.
CVE-2009-4498
published 2009-12-31

CVE-2009-4498: The node_process_command function in Zabbix Server before 1.8 allows remote attackers to execute arbitrary commands via a crafted request.

PriorityP261medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
31.91%
98.1th percentile
The node_process_command function in Zabbix Server before 1.8 allows remote attackers to execute arbitrary commands via a crafted request.

Affected

19 ranges
VendorProductVersion rangeFixed in
debianzabbix< zabbix 1:1.8-1 (bookworm)zabbix 1:1.8-1 (bookworm)
zabbixzabbix<= 1.7.4
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix>= 0 < 1:1.8-11:1.8-1
zabbixzabbix>= 0 < 1:1.8-11:1.8-1
zabbixzabbix>= 0 < 1:1.8-11:1.8-1
zabbixzabbix>= 0 < 1:1.8-11:1.8-1

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor TCP port 10051 (Zabbix trapper port) for unauthenticated 'Command' trap messages. The exploit sends a packet beginning with the literal string 'Command' followed by 0xFF (\255) delimiters, a node ID, a host ID, and an OS command — all without prior authentication.
  • If the initial exploitation attempt with Node ID 0 fails, the server leaks the correct Node ID in its error response (pattern: '-1' and 'NODE <digits>'). Detect repeated 'Command' trap connections from the same source IP where the second attempt uses a node ID extracted from the first response — indicative of automated exploitation retry logic.
  • The vulnerable code path is in node_process_command() within zabbix_server/trapper/nodecommand.c. Patch presence can be confirmed by verifying Zabbix Server is version 1.8 or later (or 1.6.8+ for the SQL injection variant).
  • ·The exploit defaults to Node ID 0 but will automatically retry with the correct Node ID leaked from the server error message. Detection logic must account for both single-attempt and two-attempt exploitation sequences.
  • ·The vulnerability affects Zabbix Server versions prior to 1.6.9 per the vendor, but the NVD/Debian tracker lists the patched version as 1.8. Ensure detection/patching targets all versions below 1.8.
  • ·No authentication is required to trigger the vulnerability; the 'Command' trap is processed by the Zabbix trapper service without any credential check.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.