CVE-2009-4498
published 2009-12-31CVE-2009-4498: The node_process_command function in Zabbix Server before 1.8 allows remote attackers to execute arbitrary commands via a crafted request.
PriorityP261medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
31.91%
98.1th percentile
The node_process_command function in Zabbix Server before 1.8 allows remote attackers to execute arbitrary commands via a crafted request.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | zabbix | < zabbix 1:1.8-1 (bookworm) | zabbix 1:1.8-1 (bookworm) |
| zabbix | zabbix | <= 1.7.4 | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | >= 0 < 1:1.8-1 | 1:1.8-1 |
| zabbix | zabbix | >= 0 < 1:1.8-1 | 1:1.8-1 |
| zabbix | zabbix | >= 0 < 1:1.8-1 | 1:1.8-1 |
| zabbix | zabbix | >= 0 < 1:1.8-1 | 1:1.8-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor TCP port 10051 (Zabbix trapper port) for unauthenticated 'Command' trap messages. The exploit sends a packet beginning with the literal string 'Command' followed by 0xFF (\255) delimiters, a node ID, a host ID, and an OS command — all without prior authentication. ↗
- →If the initial exploitation attempt with Node ID 0 fails, the server leaks the correct Node ID in its error response (pattern: '-1' and 'NODE <digits>'). Detect repeated 'Command' trap connections from the same source IP where the second attempt uses a node ID extracted from the first response — indicative of automated exploitation retry logic. ↗
- →The vulnerable code path is in node_process_command() within zabbix_server/trapper/nodecommand.c. Patch presence can be confirmed by verifying Zabbix Server is version 1.8 or later (or 1.6.8+ for the SQL injection variant). ↗
- ·The exploit defaults to Node ID 0 but will automatically retry with the correct Node ID leaked from the server error message. Detection logic must account for both single-attempt and two-attempt exploitation sequences. ↗
- ·The vulnerability affects Zabbix Server versions prior to 1.6.9 per the vendor, but the NVD/Debian tracker lists the patched version as 1.8. Ensure detection/patching targets all versions below 1.8. ↗
- ·No authentication is required to trigger the vulnerability; the 'Command' trap is processed by the Zabbix trapper service without any credential check. ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jfgr-r9xc-vhc8: The node_process_command function in Zabbix Server before 1
ghsa_unreviewed·2022-05-02
CVE-2009-4498 [MEDIUM] CWE-78 GHSA-jfgr-r9xc-vhc8: The node_process_command function in Zabbix Server before 1
The node_process_command function in Zabbix Server before 1.8 allows remote attackers to execute arbitrary commands via a crafted request.
OSV
CVE-2009-4498: The node_process_command function in Zabbix Server before 1
osv·2009-12-31·CVSS 6.8
CVE-2009-4498 [MEDIUM] CVE-2009-4498: The node_process_command function in Zabbix Server before 1
The node_process_command function in Zabbix Server before 1.8 allows remote attackers to execute arbitrary commands via a crafted request.
Debian
CVE-2009-4498: zabbix - The node_process_command function in Zabbix Server before 1.8 allows remote atta...
vendor_debian·2009·CVSS 6.8
CVE-2009-4498 [MEDIUM] CVE-2009-4498: zabbix - The node_process_command function in Zabbix Server before 1.8 allows remote atta...
The node_process_command function in Zabbix Server before 1.8 allows remote attackers to execute arbitrary commands via a crafted request.
Scope: local
bookworm: resolved (fixed in 1:1.8-1)
bullseye: resolved (fixed in 1:1.8-1)
forky: resolved (fixed in 1:1.8-1)
sid: resolved (fixed in 1:1.8-1)
trixie: resolved (fixed in 1:1.8-1)
No detection rules found.
Exploit-DB
Zabbix Server - Arbitrary Command Execution (Metasploit)
exploitdb·2012-08-27
CVE-2009-4498 Zabbix Server - Arbitrary Command Execution (Metasploit)
Zabbix Server - Arbitrary Command Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Zabbix Server Arbitrary Command Execution',
'Description' => %q{
This module abuses the "Command" trap in Zabbix Server to execute arbitrary
commands without authentication. By default the Node ID "0" is used, if it doesn't
work, the Node ID is leaked from the error message and exploitation retried.
According to the vendor versions prior to 1.6.9 are vulnerable. The vulnerability
has been successfully tested on Zabbix Server 1.6.7 on Ubuntu 10.04.
},
'Au
Exploit-DB
Zabbix Server - Multiple Vulnerabilities
exploitdb·2009-12-14
CVE-2009-4501 Zabbix Server - Multiple Vulnerabilities
Zabbix Server - Multiple Vulnerabilities
---
Zabbix Server : Multiple remote vulnerabilities From: Nicob
Date: Sun, 13 Dec 2009 16:28:35 +0100
From Wikipedia : "Zabbix is a network management system application
[...] designed to monitor and track the status of various network
services, servers, and other network hardware."
[Zabbix Server : Remote command execution]
Impacted software : Zabbix Server
Zabbix reference : https://support.zabbix.com/browse/ZBX-1030
Patched version : 1.8
Faulty source code : function node_process_command() in
zabbix_server/trapper/nodecommand.c
Changelog entry : fixed security vulnerability in server allowing remote
unauthenticated users to execute scripts
[Zabbix Server : Remote SQL execution]
Impacted software : Zabbix Server
Zabbix reference : https:
Metasploit
Zabbix Server Arbitrary Command Execution
metasploit
Zabbix Server Arbitrary Command Execution
Zabbix Server Arbitrary Command Execution
This module abuses the "Command" trap in Zabbix Server to execute arbitrary commands without authentication. By default the Node ID "0" is used, if it doesn't work, the Node ID is leaked from the error message and exploitation retried. According to the vendor versions prior to 1.6.9 are vulnerable. The vulnerability has been successfully tested on Zabbix Server 1.6.7 on Ubuntu 10.04.
No writeups or analysis indexed.
http://secunia.com/advisories/37740http://www.openwall.com/lists/oss-security/2010/04/02/1http://www.securityfocus.com/archive/1/508436/30/60/threadedhttp://www.vupen.com/english/advisories/2009/3514https://support.zabbix.com/browse/ZBX-1030http://secunia.com/advisories/37740http://www.openwall.com/lists/oss-security/2010/04/02/1http://www.securityfocus.com/archive/1/508436/30/60/threadedhttp://www.vupen.com/english/advisories/2009/3514https://support.zabbix.com/browse/ZBX-1030
2009-12-31
Published