cbcvebase.
CVE-2009-4502
published 2009-12-31

CVE-2009-4502: The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, when running on FreeBSD or Solaris, allows remote attackers to bypass the…

PriorityP265critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
21.57%
97.3th percentile
The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, when running on FreeBSD or Solaris, allows remote attackers to bypass the EnableRemoteCommands setting and execute arbitrary commands via shell metacharacters in the argument to net.tcp.listen. NOTE: this attack is limited to attacks from trusted IP addresses.

Affected

14 ranges
VendorProductVersion rangeFixed in
debianzabbix< zabbix 1:1.8-1 (bookworm)zabbix 1:1.8-1 (bookworm)
zabbixzabbix<= 1.6.6
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix
zabbixzabbix>= 0 < 1:1.8-11:1.8-1
zabbixzabbix>= 0 < 1:1.8-11:1.8-1
zabbixzabbix>= 0 < 1:1.8-11:1.8-1
zabbixzabbix>= 0 < 1:1.8-11:1.8-1

Detection & IOCsextracted from sources · hover to see the quote

port10050
commandnet.tcp.listen[80';id;echo ']
commandnet.tcp.listen[<rnd_port>';{payload};']
  • Detect shell metacharacter injection in Zabbix agent requests: look for net.tcp.listen[] queries containing single-quote and semicolon characters on TCP port 10050.
  • Monitor Zabbix agent (TCP/10050) for responses containing 'ZBX_NOTSUPPORTED' or 'ZBXD' to identify active probing or exploitation attempts.
  • Flag any net.tcp.listen[] request arriving on TCP/10050 that contains shell metacharacters (single quotes, semicolons) as a command injection attempt against CVE-2009-4502.
  • The exploit requires the attacker to originate from or spoof a trusted/authorized Zabbix server IP; correlate unexpected net.tcp.listen[] queries from non-standard or spoofed source IPs.
  • ·Vulnerability only affects Zabbix Agent running on FreeBSD or Solaris; Linux/Windows agents are not impacted. Scope detection rules accordingly.
  • ·The EnableRemoteCommands=0 setting is bypassed by this vulnerability; disabling remote commands is NOT a sufficient mitigation on affected platforms.
  • ·Exploitation is limited to attackers originating from (or spoofing) a trusted IP address as defined in the Zabbix agent configuration file.
  • ·Faulty code is specifically in the NET_TCP_LISTEN() function within libs/zbxsysinfo/(freebsd|solaris)/net.c; patched in version 1.6.7.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.