Skip to content
Threat Feed
Subscribe
high threat

Cockpit 359 Remote Code Execution Vulnerability

Cockpit version 359 is vulnerable to remote code execution, and a public exploit is available on Exploit-DB, increasing the risk for unpatched systems.

A remote code execution (RCE) vulnerability affects Cockpit version 359. A public exploit (EDB-52572) demonstrating the vulnerability has been published on Exploit-DB. Cockpit is a web-based system administration interface. The existence of a public exploit significantly raises the risk to systems running unpatched instances of Cockpit 359. Attackers can leverage this exploit to execute arbitrary code on the target system, potentially leading to complete system compromise. Defenders should prioritize patching or mitigating this vulnerability.

Attack Chain

  1. Attacker identifies a vulnerable Cockpit 359 instance accessible over the network.
  2. Attacker crafts a malicious HTTP request containing the RCE exploit.
  3. The malicious request is sent to the vulnerable Cockpit instance.
  4. The Cockpit application processes the request, triggering the RCE vulnerability.
  5. The attacker executes arbitrary code on the server, such as injecting a web shell.
  6. The attacker uses the web shell for further reconnaissance within the compromised network.
  7. The attacker escalates privileges to gain administrative access.
  8. The attacker deploys malware or exfiltrates sensitive data.

Impact

Successful exploitation of the RCE vulnerability in Cockpit 359 allows attackers to execute arbitrary code on the affected system. This can lead to complete system compromise, data breaches, and further lateral movement within the network. The availability of a public exploit makes this vulnerability easily exploitable by both sophisticated and unsophisticated threat actors. Organizations using Cockpit 359 are at high risk until they apply the necessary patches or implement mitigation measures.

Recommendation

  • Deploy the Sigma rule Detect Cockpit 359 RCE Attempt to your SIEM to identify potential exploitation attempts.
  • Apply available patches for Cockpit 359 to remediate the RCE vulnerability.
  • Monitor web server logs for suspicious activity targeting Cockpit instances to detect unusual requests.

Detection coverage 2

Detect Cockpit 359 RCE Attempt

high

Detects potential exploitation attempts of the RCE vulnerability in Cockpit 359 based on suspicious HTTP requests.

sigma tactics: execution techniques: T1059.001 sources: webserver

Detect Suspicious Cockpit Process Execution

medium

Detects execution of unusual processes spawned by the Cockpit web server process.

sigma tactics: execution techniques: T1059.004 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →