QwikSec

Security Database

CVE

CWE

Training

CVE-2012-10048

Published: Aug 8, 2025

Modified: Apr 7, 2026

PUBLISHED

Description

Zenoss Core 3.x contains a command injection vulnerability in the showDaemonXMLConfig endpoint. The daemon parameter is passed directly to a Popen() call in ZenossInfo.py without proper sanitation, allowing authenticated users to execute arbitrary commands on the server as the zenoss user.

Vendor	Product	Versions
Zenoss, Inc.	Zenoss Core	affected `3.0`

Weaknesses (CWE)

References

https://www.exploit-db.com/exploits/20205

exploit

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb

exploit

https://www.exploit-db.com/exploits/37571

exploit

http://web.archive.org/web/20221203180334/https://itsecuritysolutions.org/2012-07-30-zenoss-3.2.1-multiple-security-vulnerabilities/

technical-description

exploit

https://sourceforge.net/projects/zenoss/

product

https://www.vulncheck.com/advisories/zenoss-command-execution

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.