PT-2025-32552 · Unknown+1 · Zen Load Balancer+2
Published
2025-08-11
·
Updated
2025-08-11
·
CVE-2012-10039
CVSS v4.0
9.4
Critical
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions:
ZEN Load Balancer versions 2.0
ZEN Load Balancer version 3.0-rc1
Description:
ZEN Load Balancer versions 2.0 and 3.0-rc1 contain a command injection issue in the
content2-2.cgi file. The filelog parameter is passed directly to an exec() call delimited by backticks without proper sanitization. An authenticated attacker can inject arbitrary shell commands, leading to remote code execution as the root user. ZEN Load Balancer is the predecessor of ZEVENET and SKUDONET. The affected versions are no longer supported, with SKUDONET CE being the current community-maintained successor.Recommendations:
ZEN Load Balancer version 2.0: As the product is no longer supported, there is no information about a newer version that contains a fix for this vulnerability.
ZEN Load Balancer version 3.0-rc1: As the product is no longer supported, there is no information about a newer version that contains a fix for this vulnerability.
RCE
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Skudonet Ce
Zen Load Balancer
Zevenet