CVE-2012-10039

CVSS

No CVSS.

Z

EN Load Balancer versions 2.0 and 3.0-rc1 contain a command injection vulnerability in content2-2.cgi. The filelog parameter is passed directly into a backtick-delimited exec() call without sanitation. An authenticated attacker can inject arbitrary shell commands, resulting in remote code execution as the root user. ZEN Load Balancer is the predecessor of ZEVENET and SKUDONET. The affected versions (2.0 and 3.0-rc1) are no longer supported. SKUDONET CE is the current community-maintained successor.

References

Link	Resource
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/zen_load_balancer_exec.rb
https://web.archive.org/web/20111015031540/http://www.zenloadbalancer.com/
https://web.archive.org/web/20221203195056/https://itsecuritysolutions.org/2012-09-21-ZEN-Load-Balancer-v2.0-and-v3.0-rc1-multiple-vulnerabilities/
https://www.exploit-db.com/exploits/21849
https://www.fortiguard.com/encyclopedia/ips/33335/zen-load-balancer-filelog-command-execution

Configurations

No configuration.

History

11 Aug 2025, 18:32

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-11 15:15

Updated : 2025-08-11 18:32

NVD link : CVE-2012-10039

Mitre link : CVE-2012-10039

CVE.ORG link : CVE-2012-10039

JSON object : View

Products Affected

No product.

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2012-10039", "cveTags": [{"tags": ["unsupported-when-assigned"], "sourceIdentifier": "[email protected]"}], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-11T15:15:27.370", "references": [{"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/zen_load_balancer_exec.rb", "source": "[email protected]"}, {"url": "https://web.archive.org/web/20111015031540/http://www.zenloadbalancer.com/", "source": "[email protected]"}, {"url": "https://web.archive.org/web/20221203195056/https://itsecuritysolutions.org/2012-09-21-ZEN-Load-Balancer-v2.0-and-v3.0-rc1-multiple-vulnerabilities/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/21849", "source": "[email protected]"}, {"url": "https://www.fortiguard.com/encyclopedia/ips/33335/zen-load-balancer-filelog-command-execution", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "ZEN Load Balancer versions 2.0 and 3.0-rc1 contain a command injection vulnerability in content2-2.cgi. The filelog parameter is passed directly into a backtick-delimited exec() call without sanitation. An authenticated attacker can inject arbitrary shell commands, resulting in remote code execution as the root user.\u00a0ZEN Load Balancer is the predecessor of ZEVENET and SKUDONET. The affected versions (2.0 and 3.0-rc1) are no longer supported. SKUDONET CE is the current community-maintained successor."}, {"lang": "es", "value": "Las versiones 2.0 y 3.0-rc1 de ZEN Load Balancer contienen una vulnerabilidad de inyecci\u00f3n de comandos en content2-2.cgi. El par\u00e1metro filelog se pasa directamente a una llamada exec() delimitada por comillas invertidas sin depuraci\u00f3n. Un atacante autenticado puede inyectar comandos de shell arbitrarios, lo que resulta en la ejecuci\u00f3n remota de c\u00f3digo como usuario root. ZEN Load Balancer es el predecesor de ZEVENET y SKUDONET. Las versiones afectadas (2.0 y 3.0-rc1) ya no reciben soporte. SKUDONET CE es el sucesor actual, mantenido por la comunidad."}], "lastModified": "2025-08-11T18:32:48.867", "sourceIdentifier": "[email protected]"}