Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Crafted ACME response yields RCE as the renewal user, so C:H/I:H/A:H; AC:H reflects required CA control or on-path TLS tamper; PR:N/UI:N - no victim creds or interaction.
Primary rating from Vendor (runZero).
CVSS VectorVendor: runZero
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, "External control of file name or path." Other ACME shell script handlers may be affected by similar issues.
AnalysisAI
Remote command injection in ServerCo getssl 2.49 and prior allows an attacker who controls or tampers with ACME challenge responses (a malicious/compromised CA endpoint or on-path adversary) to write attacker-chosen file paths via tokens that violate RFC 8555 base64url constraints, typically yielding code execution as the privileged user that renews certificates. The issue was reported by runZero, fixed upstream in v2.50, and at the time of analysis there is no public exploit identified and the CVE is not listed in CISA KEV.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to control the ACME challenge token the victim's getssl instance receives. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 7.4 vector (AV:N/AC:H/PR:N/UI:N/C:H/I:H/A:N) accurately captures the trade-off: no credentials and no user interaction are needed (PR:N/UI:N), but AC:H reflects that the attacker must control or tamper with the ACME server's response channel - either by operating a malicious/compromised CA the victim has configured, or by an on-path TLS-tampering position between getssl and the CA. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An adversary operating a hostile ACME directory the victim has configured, or sitting on-path with the ability to alter the CA's HTTP/TLS responses (e.g., a lawful-intercept appliance or a compromised upstream proxy), returns a challenge token that contains path-traversal segments and shell metacharacters instead of a clean base64url string. When getssl writes the challenge file using that token, the path escapes the challenge directory and/or the shell command line gets reinterpreted, executing attacker-supplied commands as the (often root) user running the renewal. … |
| Remediation | Vendor-released patch: upgrade to getssl v2.50 (https://github.com/srvrco/getssl/releases/tag/v2.50), which lands the validate_token function and basename hardening from PR #896 (https://github.com/srvrco/getssl/pull/896). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all ServerCo getssl installations in production and document current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37201
GHSA-9v83-jvh5-6gh3