cbcvebase.
CVE-2012-10048
published 2025-08-08

CVE-2012-10048: Zenoss Core 3.x contains a command injection vulnerability in the showDaemonXMLConfig endpoint. The daemon parameter is passed directly to a Popen() call in…

PriorityP266high8.7CVSS 4.0
AVNACLATNPRLUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
2.67%
83.8th percentile
Zenoss Core 3.x contains a command injection vulnerability in the showDaemonXMLConfig endpoint. The daemon parameter is passed directly to a Popen() call in ZenossInfo.py without proper sanitation, allowing authenticated users to execute arbitrary commands on the server as the zenoss user.

Affected

1 ranges
VendorProductVersion rangeFixed in
zenoss_inczenoss_core

Detection & IOCsextracted from sources · hover to see the quote

url/zport/dmd/ZenossInfo/showDaemonXMLConfig
pathZenossInfo.py
  • Monitor HTTP requests to the showDaemonXMLConfig endpoint for shell metacharacters or command injection payloads in the 'daemon' parameter (e.g., semicolons, pipes, backticks, $() constructs).
  • Alert on child processes spawned by the Zenoss application process (zenoss user context) that are not typical daemon management processes, as exploitation results in arbitrary OS command execution via Popen().
  • Look for Metasploit module activity targeting Zenoss 3.x HTTP endpoints, specifically the exploit module path linux/http/zenoss_showdaemonxmlconfig_exec.
  • ·Exploitation requires prior authentication to the Zenoss web interface; unauthenticated access alone is insufficient to trigger the vulnerability.
  • ·The vulnerability is scoped to Zenoss Core 3.x; other major versions are not confirmed affected by this specific code path.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.