CVE-2012-10039 CRITICAL

CVE-2012-10039: ZEN Load Balancer Filelog Command Execution

Vendor Zen Load Balancer

Product ZEN Load Balancer

Weakness CWE-78

Published August 11, 2025

Last update April 7, 2026

View on NVD All CVEs

CVSS base score

9.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

ZEN Load Balancer versions 2.0 and 3.0-rc1 contain a command injection vulnerability in content2-2.cgi. The filelog parameter is passed directly into a backtick-delimited exec() call without sanitation. An authenticated attacker can inject arbitrary shell commands, resulting in remote code execution as the root user. ZEN Load Balancer is the predecessor of ZEVENET and SKUDONET. The affected versions (2.0 and 3.0-rc1) are no longer supported. SKUDONET CE is the current community-maintained successor.

Key dates

02Disclosure timeline

August 11, 2025 CVE published

April 7, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2012-10039 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

Identifiers

CVE CVE-2012-10039

CWE CWE-78

CVSS 9.4 / CRITICAL

Affected versions

Vendor Zen Load Balancer

Product ZEN Load Balancer

Affected 2.0

Vendor Zen Load Balancer

Product ZEN Load Balancer

Affected 3.0-rc1

CVE-2012-10039: ZEN Load Balancer Filelog Command Execution

01Description

02Disclosure timeline

03References

04Related CVE